Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.

This month, the Semperis Research Team highlights Microsoft’s warnings about the novel Prestige ransomware campaign, more Hive activity, and new Exchange Server zero-day attacks.

Microsoft warns about Prestige ransomware

The Microsoft Threat Intelligence Center (MSTIC) warned about a novel ransomware campaign against transportation and logistics organizations in Ukraine and Poland. The attackers leverage access to highly privileged credentials, such as domain admin, to propagate malware through tactics including copying the ransomware payload to an Active Directory domain controller and deploying through the Default Domain Group Policy Object.

Read more

Hive ransomware group hits Indian energy company Tata Power

The Hive ransomware group claimed responsibility for a cyberattack on Indian energy company Tata Power that compromised IT systems and leaked stolen employee data. Among other tactics, Hive, which also claimed responsibility for the recent attack on the Costa Rican government, uses remote admin software to infiltrate systems and establish persistence, then deploys tools such as ADRecon to map the AD environment.

Read more

Microsoft warns about new Exchange Server zero-day attacks

Attackers are using new zero-day exploits to compromise networks and steal data by gaining access to internal services and executing remote code. The vulnerabilities allow attackers “hands-on-keyboard access,” which they use to perform Active Directory reconnaissance.

Read more

LockBit ransomware group targets UK car dealer Pendragon

The LockBit ransomware gang breached Pendragon Group, which owns 200 car dealerships in the UK, allegedly stealing some data but failing to extract ransom from Pendragon. The LockBit group uses various tactics, techniques, and procedures (TTPs) to compromise victim organizations, including abusing AD group policies to encrypt devices across Windows domains.

Read more

More resources

Why DC Snapshots Are No Substitute for Active Directory Backups | Semperis
Preventing a SYSVOL Horror Story | Semperis
The Growing Threat of Ransomware as a Service | Semperis

The post Identity Attack Watch: October 2022 appeared first on Semperis.