US state government network hacked through former employee’s account

Network Breached

The US Cybersecurity and Infrastructure Security Agency (CISA) has revealed that the network environment of an unnamed state government organization was compromised through an administrator account of a former employee.

“This allowed the threat actor to successfully authenticate to an internal virtual private network (VPN) access point,” the agency said said in a joint advisory published Thursday alongside the Multi-State Information Sharing and Analysis Center (MS-ISAC).

“The threat actor is connected to the [virtual machine] through the victim’s VPN with the intention of blending in with legitimate traffic to evade detection.”

It is suspected that the threat actor obtained the credentials after a separate data breach, due to the fact that the credentials appeared on publicly available channels with leaked account information.

The administrator account, which had access to a virtualized SharePoint server, also allowed the attackers to access another set of credentials stored on the server that had administrative rights to both the on-premises network and the Azure Active Directory ( now called Microsoft Entra ID). ).

This further made it possible to explore the victim’s local environment and execute various LDAP (Lightweight Directory Access Protocol) queries on a domain controller. The attackers behind the malicious activity are currently unknown.

A deeper investigation into the incident found no evidence that the adversary moved laterally from the on-premises environment to the Azure cloud infrastructure.

The attackers eventually gained access to host and user information and posted the information on the dark web for likely financial gain, the bulletin said, asking the organization to reset passwords for all users, disable the administrator account and elevated rights for the second account. .

It’s worth pointing out that neither account has multi-factor authentication (MFA) enabled, underscoring the need to secure privileged accounts that grant access to critical systems. It is also recommended to implement the principle of least privilege and create separate administrative accounts to segment access to on-premises and cloud environments.

The development is a sign that threat actors are using valid accounts, including those of former employees that have not been properly purged from the Active Directory (AD), to gain unauthorized access to organizations.

“Unnecessary accounts, software and services in the network create additional vectors for a threat actor to compromise,” the agencies said.

“By default, all users in Azure AD can register and manage all aspects of the applications they create. These default settings can allow a threat actor to access sensitive information and move laterally within the network. Additionally, users who create an Azure AD automatically become the global administrator for that tenant. This allows a threat actor to escalate privileges to perform malicious actions.”

#state #government #network #hacked #employees #account

Notify of
Inline Feedbacks
View all comments
Previous Post
Bulk Smishing Attacks

Malicious ‘SNS Sender’ script abuses AWS for bulk smishing attacks

Next Post
Cyber Espionage

US government disrupts Russian-linked botnet engaged in cyber espionage

Related Posts