As cyberattacks targeting Active Directory continue to rise, AD security, identity, and IT teams face mounting pressure to monitor the evolving AD-focused threat landscape. To assist IT professionals in comprehending and preventing attacks that involve AD, the Semperis Research Team publishes a monthly roundup of recent cyberattacks. In this month’s round-up of identity-related attacks, Midnight Blizzard hits Microsoft and HPE, Cactus ransomware group targets Schneider Electric, and LockBit claims attacks on EquiLend and Capital Health.

Midnight Blizzard attack on Microsoft involved password spray, lack of MFA, and privilege escalation

The attack by Midnight Blizzard (also known as Nobelium or APT29) that breached Microsoft executives’ email accounts included various tactics, including password spray brute-force attacks and residential proxies, to gain access to a non-production test tenant account that did not have MFA enabled. Once threat actors gained access to the account, which had elevated access to the company’s corporate environment, the threat actors were able to escalate their access. Midnight Blizzard also targeted Hewlett-Packard Enterprise (HPE) email accounts.

Read more

Cactus ransomware hits Schneider Electric

The Cactus ransomware gang, which uses purchased credentials and other tactics to breach networks and gain administrative privileges, claimed responsibility for a cyberattack on energy company Schneider Electronic.

Read more

LockBit claims responsibility for EquiLend breach

Ransomware group LockBit claimed an attack on global fintech company EquiLend that disrupted services just a week after the company announced its upcoming acquisition by a private equity firm.

Read more

Jason’s Deli hit by credential stuffing attacks

Threat actors compromised customers’ personal data in a credential stuffing attack against Jason’s Deli, a U.S. restaurant chain.

Read more

New authentication bypass vulnerability exposes GoAnywhere Managed File Transfer to attacks

A newly discovered flaw in GoAnywhere Managed File Transfer versions before 7.4.1 enables attackers to create a new admin user through the product’s administration portal, which could lead to device takeover.

Read more

Akira ransomware group targets Swedish company Tietoevry

The Akira ransomware group compromised accounts that weren’t protected by MFA to launch an attack that took down datacenters of Swedish company Tietoevry.

Read more

LockBit targets Capital Health in ransomware attack

LockBit ransomware group claimed an attack on Capital Health, a primary healthcare provider in New Jersey and Pennsylvania, that extracted sensitive patient medical data for extortion purposes. LockBit’s tactics include exploiting vulnerabilities in AD.

Read more

More resources

NSA Top Ten Cybersecurity Misconfigurations: An Active Directory Perspective – Semperis

Top 3 Identity-Based Attack Trends to Watch in 2024 – Semperis

What Is Active Directory Security? | Semperis AD Guides

The post Identity Attack Watch: AD Security News, January 2024 appeared first on Semperis.