The US Cybersecurity and Infrastructure Security Agency (CISA) reported that a threat actor infiltrated a US government organization’s network by exploiting compromised credentials from a former employee’s administrative account. With these credentials, the attacker accessed an internal VPN, conducted reconnaissance, and executed LDAP queries on a domain controller. The compromised account was not removed by the organization, allowing the threat actor to continue reconnaissance activities. The credentials were obtained from a separate data breach and were publicly available. The attackers extracted additional credentials from a SharePoint server, enabling them to gain administrative privileges in both on-premises Active Directory and Azure AD. The attackers posted stolen information on a dark web forum, prompting an investigation. The organization disabled the compromised accounts, took affected servers offline, and implemented security measures such as enabling multifactor authentication (MFA) and reviewing administrative accounts. CISA recommends various security practices, including limiting administrative accounts, implementing least privilege principles, and employing phishing-resistant MFA. Additionally, organizations should regularly review and update security measures to mitigate risks effectively.
Read more: https://www.securityweek.com/ex-employees-admin-credentials-used-in-us-gov-agency-hack/