Towards the end of last year in December 2021, the world saw the emergence of an apparently new and highly advanced ransomware op called ALPHV or BlackCat, which is now claimed to be responsible for a cyberattack on two oil companies in the EMEA region.
Commenting on this latest development the chief security advocate at Attivo Networks, Carolyn Crandall said “The ALPHV BlackCat ransomware is extremely sophisticated because it is human-operated and command-line driven, which makes it hard for traditional detection tools to accurately alert on these incursions. BlackCat is known to use a variety of encryption modes, moves laterally, and gains administrative privileges to spread between computers, encrypt other devices, and wipe out information to prevent recovery. This group also known to steal data before encrypting devices and publishing it on data leak sites for triple-extortion.
Compromising Active Directory has become the default attack vector for ransomware attacks and was undoubtably leveraged by this ransomware to gain the domain control they needed. Active Directory is the most commonly used identity platform by businesses and, if compromised, gives attackers the complete control they seek to escalate privileges, disable security tools, move laterally in the organization, and steal valuable data. Protection of Active Directory is a security gap that is not currently addressed by EDR solutions or identity access management solutions focused on providing access instead of denying it. To truly protect Active Directory, organizations need to employ a multipronged approach which includes hardening, detecting reconnaissance, and preventing domain compromise. Newer Identity Detection and Response (IDR) tools have become must-have security stack staples for delivering visibility and detection for credential theft and misuse and attempts to enumerate Active Directory.
An attack on Active Directory works by attackers discovering privileged accounts and then stealing credentials like passwords, hashes, and Kerberos tickets or by performing brute force attacks like password spray. Once an attacker compromises higher privileges or finds a vulnerability in Active Directory, they use techniques like Golden Ticket attack, Silver Ticket attack, and Domain Replication to take over the AD. Once this is in action, attackers can easily compromise the systems it manages, install backdoors, change security policies, and rapidly deploy the ransomware.”