Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.
This month, the Semperis Research Team highlights new attacks by various established ransomware groups: Vice Society continues its campaign against public-sector entities including schools and firefighting services, Sandworm deploys various forms of data-wiping malware on Ukrainian targets, and LockBit hits Royal Mail and Wabtec rail and locomotive company.
Data-wiping malware SwiftSlicer attributed to Sandworm hits Ukraine target
SwiftSlicer, a new data-wiping malware that overwrites crucial files used by the Windows OS, was used in an attack against Ukraine attributed to Sandworm, a cybercrime group working for the Russian government. The Sandworm group used Active Directory Group Policy to launch SwiftSlicer.
Sandworm attacks Ukrainian news agency with data wipers
Sandworm used five types of wiperware in an attempt to take down data systems at Ukrinform, Ukraine’s national news agency. The malware included CaddyWiper, ZeroWipe, and SDelete, all of which target the Windows OS. The attackers used Active Directory Group Policy to launch the CaddyWiper malware. Although the attack destroyed files on some data storage systems, it failed to disrupt Ukrinform’s operations.
Vice Society continues AD-related attacks on global public-sector organizations
Ransomware gang Vice Society continued its campaign against schools and universities with an attack on the University of Duisburg-Essen in Germany that disrupted IT operations and exposed personal details about students and personnel. Vice Society also claimed responsibility for an attack on Australia’s Fire Rescue Victoria that affected internal services and compromised employee data. Vice Society, which uses ransomware including BlackCat to compromise Active Directory and gain control of the victim organization’s network environment, is also responsible for the summer 2022 attack on the Los Angeles Unified School District, the second-largest school district in the U.S.
LockBit ransomware gang linked to attacks on Royal Mail and Wabtec rail and locomotive company
A LockBit ransomware encryptor was used in an attack on Royal Mail, UK’s largest mail delivery service, that caused a disruption to international export services. LockBit also targeted U.S. locomotive and rail manufacturer Wabtec in an attack that leaked personal and sensitive information after Wabtec refused to pay the ransom. The LockBit group uses various tactics, techniques, and procedures (TTPs) to compromise victim organizations, including abusing AD group policies to encrypt devices across Windows domains.
Why Recovering Active Directory from a Cyberattack Is an Essential Component of ITDR | Semperis
How to Respond to and Recover from a Cyberattack | Semperis
Why DC Snapshots Are No Substitute for Active Directory Backups | Semperis