Connect with us

Hi, what are you looking for?



Ex-Employee’s Admin Credentials Used in US Gov Agency Hack

A threat actor employed the administrative credentials of a former employee to hack a US government organization.

A threat actor gained access to a US government organization’s network using the compromised credentials for a former employee’s administrative account, the US cybersecurity agency CISA says.

Using the compromised credentials, the attackers accessed an internal VPN, performed reconnaissance of the on-premises environment, and executed LDAP queries on a domain controller.

The organization, which CISA has not named, failed to remove the account of the former employee, which allowed the threat actor to conduct reconnaissance and discovery activities.

The credentials, which offered access to two virtualized servers, namely SharePoint and the employee’s workstation, were obtained from another data breach, and could be found “in publicly available channels containing leaked account information”, CISA says.

From the SharePoint server, the attackers extracted the credentials of a second employee and used them to authenticate to the on-premises Active Directory and Azure AD, gaining administrative privileges.

The attackers posted information stolen from the government organization, including documents containing host and user information and metadata, on a dark web forum, which triggered an investigation.

The user account was immediately disabled and the two virtualized servers taken offline. The victim organization also changed the credentials for the second compromised account and removed its administrative privileges.

“Neither of the administrative accounts had multifactor authentication (MFA) enabled,” CISA notes.

Advertisement. Scroll to continue reading.

According to the agency, the threat actor executed LDAP queries on the domain controller using an open source tool to collect user, host, and trust relationship information, and posted the resulting text files for sale on the dark web.

For file, folder, and directory discovery, the threat actor authenticated to various endpoints using the CIFS protocol, typically employed for shared access to files. In total, the attackers authenticated to 16 services.

Organizations are advised to review current administrative accounts and remove those that are not necessary, restrict the use of multiple administrator accounts for one user, create separate admin accounts for on-premises and cloud environments, implement the principles of least privilege, and implement phishing-resistant MFA.

Furthermore, they should promptly remove unnecessary accounts, maintain a robust asset management policy, keep all systems and applications updated, prevent personal devices from connecting to the network, evaluate user permissions, enable logging, use tools to identify attack paths, employ strong password management policies, store credentials securely, and validate their security controls.

Related: Swiss Govt Websites Hit by Pro-Russia Hackers After Zelensky Visit

Related: Government, Military Targeted as Widespread Exploitation of Ivanti Zero-Days Begins

Related: China-Linked Volt Typhoon Hackers Possibly Targeting Australian, UK Governments

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


US National Cybersecurity Strategy pushes regulation, aggressive 'hack-back' operations.


Companies have announced securing billions of dollars in cybersecurity-related contracts with the United States government in 2022.


Private equity giant plans to buy Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit for $2.5 billion.

Cloud Security

Redmond is accused of “negligent cybersecurity practices” that enabled a successful Chinese hack of the United States government.


NIST releases Cybersecurity Framework 2.0, the first major update since the creation of the CSF a decade ago.


CISA has described and published a set of principles for the development of security-by-design and security-by-default cybersecurity products.


The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...