Microsoft on Wednesday said that a user containment feature in Microsoft Defender for Endpoint helped thwart a “large-scale remote encryption attempt” made by Akira ransomware actors targeting an unknown industrial organization in early June 2023.
The tech giant’s threat intelligence team is tracking the operator as Storm-1567.
The attack leveraged devices that were not onboarded to Microsoft Defender for Endpoint as a defense evasion tactic, while also conducting a series of reconnaissance and lateral movement activities prior to encrypting the devices using a compromised user account.
But the new automatic attack disruption capability meant that the breached accounts are prevented from “accessing endpoints and other resources in the network, limiting attackers’ ability to move laterally regardless of the account’s Active Directory state or privilege level.”
In other words, the idea is to cut off all inbound and outbound communication and prohibit human-operated attacks from accessing other devices in the network.
Redmond also said its enterprise endpoint security platform disrupted lateral movement attempts against a medical research lab in August 2023, in which the adversary reset the password for a default domain administrator account for follow-on actions.
“Highly privileged user accounts are arguably the most important assets for attackers,” Microsoft said. “Compromised domain admin-level accounts in environments that use traditional solutions provide attackers with access to Active Directory and could subvert traditional security mechanisms.”
“Identifying and containing these compromised user accounts, therefore, prevents attacks from progressing, even if attackers gain initial access.”