Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.
This month, the Semperis Research Team highlights Ukraine ransomware attacks linked to the Russian Sandworm group, LockBit group attacks on Virginia county and German automotive group Continental, and Vice Society strikes on Cincinnati College, one in a string of the group’s attacks on educational institutions.
Ukraine ransomware attacks linked to Russian Sandworm group
Recent attacks on Ukraine have been linked to Russian cybercriminal group Sandworm, which uses RansomBoggs—.NET ransomware distributed from domain controllers—to encrypt files. The Sandworm group, which has been active since the 1990s, is suspected of developing the NotPetya ransomware that targeted Maersk shipping company, among other organizations, in 2017.
LockBit gang claims attacks on Virginia county and Continental automotive group
Ransomware group LockBit 3.0 claimed responsibility for cyberattacks on Southampton County, Virginia, that compromised personal data, including driver’s license numbers and Social Security numbers. LockBit also claimed an attack on German automotive group Continental.
Vice Society group claims Cincinnati College attack
Vice Society ransomware group claimed responsibility for a ransomware attack on Cincinnati College that took down the college’s on-campus networks, including email, internet access, and classroom computers. Vice Society, which has targeted educational institutions from K-12 to universities, uses ransomware including BlackCat to compromise Active Directory and gain control of the victim organization’s network environment.
Black Basta ransomware group targets Canadian food retailer Sobeys
Canadian food retail giant Sobeys suffered a ransomware attack claimed by the Black Basta ransomware group that caused company-wide IT problems. Although stores remained open, in-store services, including prescription fulfillments, were delayed. Black Basta uses various tactics to compromise systems, including deploying QBot, which extracts Windows domain credentials then drops malware on infected devices.
SyncJacking: Hard Matching Vulnerability Enables Azure AD Account Takeover | Semperis
Active Directory Forest Recovery Introduces New OS Provisioning Tool | Semperis
Why DC Snapshots Are No Substitute for Active Directory Backups | Semperis