Cyber security news for all

More

    A Former Employee’s Account Breached U.S. State Government Network

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) disclosed that the network of an unspecified state government organization was breached through an administrator account belonging to a former employee.

    CISA, in a joint advisory with the Multi-State Information Sharing and Analysis Center (MS-ISAC) published on Thursday, stated, “This allowed the threat actor to successfully authenticate to an internal virtual private network (VPN) access point.”

    The threat actor, using the victim’s VPN, connected to a virtual machine (VM) intending to blend in with legitimate traffic to avoid detection.

    It is suspected that the threat actor obtained the credentials from a separate data breach, as the credentials were found in publicly available sources containing leaked account information.

    The compromised admin account, which had access to a virtualized SharePoint server, allowed the attackers to access another set of credentials stored in the server. These credentials had administrative privileges to both the on-premises network and the Azure Active Directory (now known as Microsoft Entra ID).

    This access enabled the attackers to explore the victim’s on-premises environment and execute various lightweight directory access protocol (LDAP) queries against a domain controller. The identity of the attackers remains unknown.

    A thorough investigation found no evidence that the attackers moved laterally from the on-premises environment to the Azure cloud infrastructure.

    The attackers ultimately accessed host and user information, which they posted on the dark web for likely financial gain. In response, the organization reset passwords for all users, disabled the compromised administrator account, and revoked the elevated privileges for the second account.

    It is important to note that neither of the two accounts had multi-factor authentication (MFA) enabled. This highlights the importance of securing privileged accounts that provide access to critical systems. It is also recommended to implement the principle of least privilege and create separate administrator accounts to segment access to on-premises and cloud environments.

    This incident underscores the fact that threat actors exploit valid accounts, including those of former employees that have not been properly removed from the Active Directory (AD), to gain unauthorized access to organizations.

    “Unnecessary accounts, software, and services in the network create additional vectors for a threat actor to compromise,” the agencies cautioned.

    “By default, in Azure AD all users can register and manage all aspects of applications they create. These default settings can enable a threat actor to access sensitive information and move laterally in the network. In addition, users who create an Azure AD automatically become the Global Administrator for that tenant. This could allow a threat actor to escalate privileges to execute malicious actions.”

    Recent Articles

    Related Stories