As cyberattacks targeting Active Directory continue to rise, AD security, identity, and IT teams face mounting pressure to monitor the evolving AD-focused threat landscape. To assist IT professionals in comprehending and preventing attacks that involve AD, the Semperis Research Team publishes a monthly roundup of recent cyberattacks. In this month’s round-up of identity-related attacks, an identity-related attack targets Johnson Controls, the MOVEit breach claims more victims in Canada and the U.S., and the Royal ransomware group claims the City of Dallas breach.

Johnson Controls devices encrypted in ransomware attack

Automation company Johnson Controls reported large-scale IT outages after a ransomware attack encrypted devices across the organization. A threat researcher uncovered a ransomware note claiming that the attackers used a VMware ESXi encryptor developed by Dark Angels, a ransomware group that uses various tactics to breach networks and move laterally to gain control of Windows domain controllers.

Read more

MOVEit breach claims victims in Canada and US

The MOVEit data theft attacks by Clop ransomware group claimed several victims in Canada and the US, including the Hospital for Sick Children, the BORN Ontario child registry, and National Student Clearinghouse in the US.  Clop’s attack methods include targeting the victim’s entire network by compromising the Active Directory (AD) server and dropping malware.

Read more

Royal ransomware group claims City of Dallas breach

An attack on the City of Dallas in May that shut down IT systems was claimed by the Royal ransomware group, which stole a domain service account that the attackers then used to exfiltrate files and drop Cobalt Strike payloads.

Read more

BlackCat/ALPHV targets casino group

BlackCat/ALPHV ransomware group claimed an attack on MGM that disrupted operations. The BlackCat/ALPHV, which routinely targets Active Directory to gain entry into information systems before dropping malware, also uses the Sphynx encryptor to target Azure cloud storage accounts.

Read more

Iranian APT33 attackers hit defense orgs in password spray attacks targeting Entra ID (Azure AD)

Microsoft reported that the Iranian APT33 cybercriminal group used password spray tactics to gain access to Entra ID (Azure AD) credentials in widespread breaches against global defense organizations.

Read more

More resources

Using Purple Knight to Detect the Okta Super Admin Attack – Semperis

Active Directory Security: Top Risks & Best Practices – Semperis

Protecting Active Directory from Kerberoasting – Semperis

The post Identity Attack Watch: AD Security News, September 2023 appeared first on Semperis.