As cyberattacks targeting Active Directory continue to rise, AD security, identity, and IT teams face mounting pressure to monitor the evolving AD-focused threat landscape. To assist IT professionals in comprehending and preventing attacks that involve AD, the Semperis Research Team publishes a monthly roundup of recent cyberattacks. In this month’s round-up of identity-related attacks, ramifications of the Okta breach expand, attackers target a Japanese space agency’s Active Directory, and the BlackCat/ALPHV ransomware group launches repeated attacks on healthcare company Henry Schein.

Okta attack compromised customer support user data

Attackers targeting Okta in an October attack obtained customer support system user data. Okta noted that many of the exposed users were administrators, some of whom hadn’t implemented MFA, prompting the company to recommend implementing MFA for admin access, requiring re-authentication for admin sessions from new IP addresses, setting admin session timeouts, and increasing vigilance against phishing attempts.

Read more

Attackers target Japanese space agency’s Active Directory

An attack on the Japanese space agency JAXA targeted the organization’s Active Directory server, potentially exposing critical information including employee credentials.

Read more

Healthcare company Henry Schein suffers repeat attack by BlackCat/ALPHV

Large U.S.-based healthcare products and services provider Henry Schein suffered a second attack in November after the BlackCat/ALPHV ransomware group first targeted the company in October. The attack took down some of its applications and e-commerce platform. ALPHV/BlackCat often targets Active Directory to gain entry into information systems before dropping malware.

Read more

MOVEit attack claims Welltok healthcare provider,  AutoZone, and state of Maine

U.S. healthcare provider Welltok reported that it was the victim of the attack on MOVEit Transfer servers launched by the Clop ransomware group, and that the breach impacted more than 8 million people. AutoZone also reported that it was the victim of the MOVEit attack, as did the state of Maine.

Read more

LockBit claims attacks on Canadian government contractors and Boeing

Ransomware group LockBit has taken responsibility for attacks on two Canadian government contractors that exposed sensitive information about government employees. LockBit uses various tactics, techniques, and procedures (TTPs) to compromise victim organizations, including abusing AD group policies to encrypt devices across Windows domains. Airline manufacturer Boeing also reported that it was the victim of a LockBit attack.

Read more

Black Basta group behind attack on Toronto Public Library

Ransomware group Black Basta, whose tactics include targeting organizations’ Active Directory, claimed responsibility for an attack on the Toronto Public Library that compromised personal information of employees, customers, volunteers, and donors.

Read more

More resources

Protecting Active Directory from Kerberoasting – Semperis

Active Directory Security Best Practices – Semperis

AD Monitoring: AD Security 101 – Semperis

The post Identity Attack Watch: AD Security News, November 2023 appeared first on Semperis.