As cyberattacks targeting Active Directory continue to rise, AD security, identity, and IT teams face mounting pressure to monitor the evolving AD-focused threat landscape. To assist IT professionals in comprehending and preventing attacks that involve AD, the Semperis Research Team publishes a monthly roundup of recent cyberattacks and provides additional resources for guarding against identity-related attacks. In this month’s round-up, LockBit steals London Drugs data, Live Nation confirms a Ticketmaster data breach that involved a third-party provider, and Okta warns of credential stuffing attacks.  

LockBit steals London Drugs data in ransomware attack

Ransomware group LockBit claimed an April attack on Canadian chain London Drugs and threatened to post stolen data online. LockBit uses various tactics, techniques, and procedures (TTPs) to compromise victim organizations, including abusing AD group policies to encrypt devices across Windows domains.

Take action against ransomware attacks: See Semperis CEO Mickey Bresman’s guidance on developing a cyber-first recovery plan for AD to avoid extortion by ransomware gangs like LockBit.

Live Nation confirms Ticketmaster data breach involving third-party vendor

Entertainment giant Live Nation reported that its subsidiary Ticketmaster suffered a data breach that involved a third-party cloud data provider thought to be Snowflake.

Take action against third-party security incidents: Semperis researchers Eric Woodruff and Tomer Nahum published original research about a new attack technique they dubbed Silver SAML. Their article that includes guidance for detecting and preventing supply-chain attacks.

Cybercriminals target Check Point remote VPN in zero-day exploit

Check Point warned customers of a zero-day exploit targeting their remote VPN service that has allowed threat actors to steal Active Directory data that enables privilege escalation. Attackers are targeting security gateways using old VPN local accounts with insecure password-only authentication. Recommended fixes include rotating passwords for LDAP connections from the gateway to AD and searching logs for anomalous behavior and suspicious logins.

Take action against privilege escalation attempts: For detailed guidance on preventing attacks that use LDAP queries to access sensitive assets, see Semperis Principal Technologist Sean Deuby’s blog Top Active Directory Hardening Strategies.

Okta reports credential stuffing attacks targeting endpoints

Identity services provider Okta warned customers of a credential stuffing attack that targeted its Customer Identity Cloud (CIC) authentication feature.

Take action against credential stuffing attacks: Learn how Semperis Lightning Identity Runtime Protection (IRP) helps guard against credential stuffing attacks including password spray.

More resources

Best Practices for Active Directory Backup

How to Defend Against SID History Injection

LDAP Injection Attack Defense

The post Identity Attack Watch: AD Security News, May 2024 appeared first on Semperis.