As cyberattacks targeting Active Directory continue to rise, AD security, identity, and IT teams face mounting pressure to monitor the evolving AD-focused threat landscape. To assist IT professionals in comprehending and preventing attacks that involve AD, the Semperis Research Team publishes a monthly roundup of recent cyberattacks. In this month’s round-up of identity-related attacks, Microsoft warns of the Octo Tempest threat actor, new Rorschach (aka BabLock) ransomware hits a Chilean telecom company, and ALPHV/BlackCat makes multiple strikes.

Microsoft warns about Octo Tempest threat actor

Microsoft released a detailed profile of threat actor Octo Tempest, which partners with the ALPHV/BlackCat ransomware group to unleash data extortion and ransomware attacks against organizations providing telecommunications, email, and tech services. Microsoft recommends monitoring and reviewing identity-related processes, among other guidelines.

Read more

Lazarus group repeatedly targets software vendor and TeamCity servers

North Korean cybercriminal group Lazarus repeatedly targeted a software vendor to deploy SIGNBT malware and claimed responsibility for an attack on TeamCity, which makes continuous integration and deployment servers. Lazarus’ methods include compromising Active Directory to obtain lists of admin accounts.

Read more

Chilean telecom hit by new Rorschach ransomware that targets domain controllers

Grupo GTD, a Chilean telecom that offers services throughout Latin America, was targeted by new ransomware called Rorschach (aka BabLock), which is deployed through a DLL side-loading technique. When executed on a Windows domain, the ransomware creates a Group Policy to propagate malware to other hosts.

Read more

ALPHV/BlackCat breaches Seiko, Florida circuit court, and MotelOne

ALPHV/BlackCat ransomware group claimed attacks on watchmaker Seiko, the Florida circuit court, and low-budget hotel chain MotelOne. ALPHV/BlackCat routinely targets Active Directory to gain entry into information systems before dropping malware.

Read more

Password management platform 1Password targeted in Okta breach

Cyberattackers gained access to the Okta ID management tenant of 1Password, a password management platform, although the company claimed that it terminated the malicious activity and found no evidence of data compromise. (For information about how to mitigate Okta vulnerabilities, check out Using Purple Knight to Detect the Okta Super Admin Attack – Semperis.)

Read more

Sony falls victim to MOVEit attack

Entertainment giant Sony disclosed that employee information was exposed in the attacks on the MOVEit Transfer platform conducted by Clop ransomware group, which uses methods including compromising victims’ Active Directory (AD) servers and dropping malware.

Read more

More resources

Active Directory Security Best Practices (Checklist) – Semperis

Active Directory Security: Top Risks & Best Practices – Semperis

Using Purple Knight to Detect the Okta Super Admin Attack – Semperis

The post Identity Attack Watch: AD Security News, October 2023 appeared first on Semperis.