Skip to content Skip to footer

U.S. State Government Network Breached via Former Employee’s Account

Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory stating that a state government organization had fallen victim to a . According to the advisory, the organization's network environment was compromised via an administrator account that belonged to a former employee. The successfully authenticated to an internal virtual private network () access point, which allowed them to connect to a virtual machine through the victim's . The attackers aimed to blend in with legitimate traffic to avoid detection.

It is suspected that the obtained the credentials following a separate . The credentials appeared in publicly available channels containing leaked account information. The admin account, which had access to a virtualized SharePoint server, enabled the attackers to access another set of credentials stored in the server. These credentials had administrative privileges to the on-premises network and the Azure Active Directory (now called Microsoft Entra ID).

This further allowed the attackers to explore the victim's on-premises environment and execute various lightweight directory access protocol (LDAP) queries against a domain controller. It is still unknown who is behind the attack. However, it is worth noting that neither of the two accounts had (MFA) enabled. This underscores the need for securing privileged accounts that grant access to critical systems. It is also recommended to implement the principle of least privilege and create separate administrator accounts to segment access to on-premises and cloud environments.

A deeper investigation into the incident revealed no evidence that the adversaries moved laterally from the on-premises environment to the Azure cloud infrastructure. However, the attackers ultimately accessed host and user information and posted it on the dark web for possible financial gain. This prompted the organization to reset passwords for all users, disable the administrator account, and remove the elevated privileges for the second account.

The incident serves as a reminder that threat actors often leverage valid accounts, including those belonging to former employees who have yet to be adequately removed from the Active Directory (AD), to gain unauthorized access to organizations. The advisory further stated that unnecessary accounts, software, and services in the network create additional vectors for a to compromise. By default, in Azure AD, all users can register and manage all aspects of the applications they build. These default settings enable a to access sensitive information and move laterally in the network. In addition, users who create an Azure AD automatically become the Global Administrator for that tenant. This could allow a to escalate privileges to execute malicious actions.

Want to read more? Check out the original article available at The Hacker News!

Read More

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

There is no right and wrong. There's only fun and boring.The Plague

Deitasoft © 2024. All Rights Reserved.