An administrator account belonging to a former employee was used to compromise the network environment of an unnamed state government organization, according to the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ).
In a joint advisory released on Thursday with the Multi-State Information Sharing and Analysis Center ( MS-ISAC ), the agency stated that” this enabled the threat actor to successfully authenticate to an internal virtual private network (VPN) access point.”
In order to blend in with legitimate traffic and avoid detection, the threat actor connected to the virtual machine via the victim’s VPN.
Due to the credentials ‘ appearance in publicly accessible channels that contained leaked account information, it is suspected that the threat actor obtained them after a separate data breach.
Attackers were also able to access another set of credentials stored in the server with administrative privileges to both the on-premises network and the Azure Active Directory ( now known as Microsoft Entra ID ) thanks to the admin account’s access to a virtualized SharePoint server.
This also allowed for the exploration of the victim’s on-premises surroundings and the use of a domain controller to run various lightweight directory access protocol ( LDAP ) queries. Unknown attackers are currently responsible for the malicious activity.
There is no proof that the attacker shifted laterally from the on-premises environment to the Azure cloud infrastructure, according to a more thorough investigation of the incident.
The bulletin noted that the attackers eventually gained access to host and user data and posted it online for potential financial gain. As a result, the company had to reset all user passwords, disable the administrator account, and take away the second account’s elevated privileges.
It’s important to note that neither of the two accounts had multi-factor authentication ( MFA ) enabled, emphasizing the importance of protecting privileged accounts that allow access to sensitive information. To segment access to on-premises and cloud environments, it is also advised to use the least privilege principle and set up separate administrator accounts.
The development is evidence that threat actors use legitimate accounts —including those of former workers who have n’t been duly removed from the Active Directory ( AD)—to gain access to organizations without authorization.
According to the agencies, “unnecessary accounts, software, and services in the network give a threat actor more opportunities to compromise.”
All users can register and manage every aspect of the applications they create by default in AzureAD. Threat actors may be able to access sensitive data and move laterally within the network thanks to these default settings. Additionally, users who sign up for an Azure AD automatically take over as that tenant’s Global Administrator. Threat actors may be able to use this to increase their privileges and carry out malicious deeds.