Semperis Identity Attack Watch: January 2021

Cyberattacks targeting Active Directory are on the upswingputting pressure on AD, identity, and security teams to monitor the constantly shifting AD threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.  

This monththe Semperis Research Team highlights an exploit that targeted the “AD of SAP,” ghost attacks that involved AD, and an AD-related attack by the REvil ransomware group.

Hackers exploit the “Active Directory of SAP 

Hackers posted an exploit on GitHub that targeted a security vulnerability in software from SAP, a global leader in ERP systems for enterprises. The vulnerability being exploited is a critical one in the SolMan” administrative applicationmeaning it is the “Active Directory of SAP. Successful exploitation lets attackers gain complete access to the targets ERP as well as pivot into the enterprise through connectivity to other systems, such as Active Directory. 

Read more 

Ghost attacks target Active Directory 

Research firm Sophos reported that recent ghost attacks targeted Active Directory to compromise companies’ systems. In one incident, attackers created a new user account and added it to the targeted organization‘s AD domain admin group. The cybercriminals were then able to use the new domain admin account to delete about 150 virtual servers and encrypt the server backups—undetected 

In a second, unrelated incident, the Netfilim ransomware group locked more than 100 systems at a target organization by gaining entry to an unmonitored admin account in AD belonging to a deceased employee.  

Read more 

Dairy Farm suffers REvil ransomware attack 

Active Directory continues to be a popular point of compromise and access for the ransomware group REvil, which recently compromised Dairy Farm Group’s network and encrypted devices, demanding an alleged $30 million ransom. In this instance, REvil used a screenshot of Dairy Farm’s compromised AD as proof of a broader control over the company’s network and critical assets. 

Read more 

More Resources 

Want to strengthen defenses of your Active Directory against cyberattacks? Check out our latest resources.  

The post Semperis Identity Attack Watch: January 2021 appeared first on Semperis.

*** This is a Security Bloggers Network syndicated blog from Semperis authored by Semperis Research Team. Read the original post at: