Skip to content Skip to footer

U.S. State Government Network Breached via Former Employee’s Account

Recently, the U.S. and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory stating that a state government organization had fallen victim to a . According to the advisory, the organization's network environment was compromised via an administrator account that belonged to a former employee. The threat actor successfully authenticated to an internal virtual private network () access point, which allowed them to connect to a virtual machine through the victim's . The attackers aimed to blend in with legitimate traffic to avoid detection.

It is suspected that the threat actor obtained the credentials following a separate data breach. The credentials appeared in publicly available channels containing leaked account information. The admin account, which had access to a virtualized SharePoint server, enabled the attackers to access another set of credentials stored in the server. These credentials had administrative privileges to the on-premises network and the Azure Active Directory (now called Entra ID).

This further allowed the attackers to explore the victim's on-premises environment and execute various lightweight directory access protocol (LDAP) queries against a domain . It is still unknown who is behind the attack. However, it is worth noting that neither of the two accounts had (MFA) enabled. This underscores the need for securing privileged accounts that grant access to critical systems. It is also recommended to implement the principle of least privilege and create separate administrator accounts to segment access to on-premises and cloud environments.

A deeper investigation into the incident revealed no evidence that the adversaries moved laterally from the on-premises environment to the Azure cloud infrastructure. However, the attackers ultimately accessed host and user information and posted it on the dark for possible financial gain. This prompted the organization to reset passwords for all users, disable the administrator account, and remove the elevated privileges for the second account.

The incident serves as a reminder that threat actors often leverage valid accounts, including those belonging to former employees who have yet to be adequately removed from the Active Directory (AD), to gain unauthorized access to organizations. The advisory further stated that unnecessary accounts, software, and services in the network create additional vectors for a threat actor to compromise. By default, in Azure AD, all users can register and manage all aspects of the applications they build. These default settings enable a threat actor to access sensitive information and move laterally in the network. In addition, users who create an Azure AD automatically become the Global Administrator for that tenant. This could allow a threat actor to escalate privileges to execute malicious actions.

Want to read more? Check out the original article available at The Hacker News!

Read More

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

You're in trouble, program. Why don't you make it easy on yourself. Who's your user?Master Control Program

Deitasoft © 2024. All Rights Reserved.