As cyberattacks targeting Active Directory continue to rise, AD security, identity, and IT teams face mounting pressure to monitor the evolving AD-focused threat landscape. To assist IT professionals in comprehending and preventing attacks that involve AD, the Semperis Research Team publishes a monthly roundup of recent cyberattacks and provides additional resources for guarding against identity-related attacks. In this month’s round-up, attacks on  London hospitals, Australian insurance provider Medibank, and Snowflake customers point to the need to shore up operational resilience by protecting the identity system, including enforcing MFA policies.

London hospital attacks prompt calls for increased operational resilience

A wave of cyberattacks targeting London hospitals, including King’s College Hospital and Guy’s Hospital, caused major service disruptions and prompted calls for healthcare organizations to review plans for protecting critical assets, including the identity system, to ensure operational resilience.

Take action to ensure operational resilience:  Read 5 Essentials ITDR Steps CISOs Must Know for guidelines on identity-first security, automating attack response, and assuming a worst-case scenario in disaster planning.

Threat actors claim they used stolen credentials to bypass Okta and breach Snowflake

Cybersecurity firm Hudson Rock reported that threat actors claimed they breached Snowflake cloud storage accounts by using stolen credentials to bypass Okta’s secure authentication process. According to Hudson Rock, “a single credential resulted in the exfiltration of potentially hundreds of companies that stored their data using Snowflake, with the threat actor himself suggesting 400 companies are impacted.”

Take action to secure Okta: Download Purple Knight, a free AD security assessment tool that scans for 150+ security indicators for Active Directory, Entra ID, and Okta.

Unenforced MFA cited in Medibank cyberattack

Australia’s Information Commissioner released a report detailing misconfigurations and failures to enforce MFA policies that led to a cyberattack on Australian medical insurance provider Medibank. Threat actors used stolen VPN credentials to log in to the company’s internal network using only a username and password.

Take action to enforce MFA policies: Check out these guidelines from Daniel Petri, Semperis Senior Training Manager, to guard against MFA fatigue and ensure two-factor authentication for sensitive accounts, including Active Directory admin accounts.

Ascension attack traced to malicious file downloaded by employee

A malicious file downloaded by an employee in what Ascension called “an honest mistake” triggered the cyberattack claimed by Black Basta ransomware-as-a-service (RaaS) group that caused the hospital system to take services offline in May. Black Basta uses various tactics to compromise systems, including deploying QBot, which extracts Windows domain credentials and then drops malware on infected devices.

Take action to secure Active Directory against unauthorized access: Learn how to use tiered delegation and ACL management to prevent threat actors from gaining access to critical assets.

More resources

Simplify Active Directory Permissions Handling with Delegation Manager (

How to Defend Against SID History Injection | Semperis Guides

LDAP Injection Attack Defense | AD Security 101 (

The post Identity Attack Watch: AD Security News, June 2024 appeared first on Semperis.