A threat actor gained access to a US government organization’s network using the compromised credentials for a former employee’s administrative account, the US cybersecurity agency CISA says.
Using the compromised credentials, the attackers accessed an internal VPN, performed reconnaissance of the on-premises environment, and executed LDAP queries on a domain controller.
The organization, which CISA has not named, failed to remove the account of the former employee, which allowed the threat actor to conduct reconnaissance and discovery activities.
The credentials, which offered access to two virtualized servers, namely SharePoint and the employee’s workstation, were obtained from another data breach, and could be found “in publicly available channels containing leaked account information”, CISA says.
From the SharePoint server, the attackers extracted the credentials of a second employee and used them to authenticate to the on-premises Active Directory and Azure AD, gaining administrative privileges.
The attackers posted information stolen from the government organization, including documents containing host and user information and metadata, on a dark web forum, which triggered an investigation.
The user account was immediately disabled and the two virtualized servers taken offline. The victim organization also changed the credentials for the second compromised account and removed its administrative privileges.
“Neither of the administrative accounts had multifactor authentication (MFA) enabled,” CISA notes.
According to the agency, the threat actor executed LDAP queries on the domain controller using an open source tool to collect user, host, and trust relationship information, and posted the resulting text files for sale on the dark web.
For file, folder, and directory discovery, the threat actor authenticated to various endpoints using the CIFS protocol, typically employed for shared access to files. In total, the attackers authenticated to 16 services.
Organizations are advised to review current administrative accounts and remove those that are not necessary, restrict the use of multiple administrator accounts for one user, create separate admin accounts for on-premises and cloud environments, implement the principles of least privilege, and implement phishing-resistant MFA.
Furthermore, they should promptly remove unnecessary accounts, maintain a robust asset management policy, keep all systems and applications updated, prevent personal devices from connecting to the network, evaluate user permissions, enable logging, use tools to identify attack paths, employ strong password management policies, store credentials securely, and validate their security controls.
Related: Swiss Govt Websites Hit by Pro-Russia Hackers After Zelensky Visit
Related: Government, Military Targeted as Widespread Exploitation of Ivanti Zero-Days Begins
Related: China-Linked Volt Typhoon Hackers Possibly Targeting Australian, UK Governments