Have you ever heard of lateral movement? If not, it’s important to understand this concept and how it can impact your IT security. Lateral movement occurs when an attacker has compromised one device or system in a network and uses that compromise as a springboard to get into other devices or systems. For example, the MERCURY threat actor recently used lateral movement to spread ransomware throughout a target network.
The MERCURY attack started with the exploitation of the log4j vulnerability, followed by establishing persistence and then a slow spread of lateral movement throughout the network. The attacker used group policy objects to interfere with security tools and then to distribute ransomware via the NETLOGON shares on Active Directory domain controllers. Once they were solidly established in the network, they followed two related plans of attack: one against on-premises resources and one against Azure.
Although Microsoft didn’t say so, it’s hard to escape the conclusion that there was no anti-malware scanning deployed inside the network, and that controls on GPOs (including auditing and monitoring) were relatively weak. To protect against similar attacks, it’s important to ensure that you have adequate protection for your domain controllers and GPOs, audit which accounts have global admin permission in your Microsoft 365 estate, and apply MFA to all privileged accounts. Monitoring for unusual activity on the Azure AD connector and AD DS connector accounts can also help protect your network.
At Aura Advanced Technologies, we offer top-notch IT services and solutions to help secure your IT environment. Don’t wait until it’s too late to protect your organization from lateral movement attacks. Contact us today to learn more about our IT services and solutions and how we can help safeguard your network.