A hacker wearing a mask, stealing email and password information from a computer.

US State Government Network Compromised Through Former Employee’s Admin Credentials

The US State Government experienced a security breach. According to the US cybersecurity agency, CISA, a threat actor gained access to the organisation’s network using compromised credentials linked to a former employee’s administrative account.

According to CISA and MS-ISAC, an unidentified threat actor infiltrated the US state government organisation’s network and stole important data.

In a joint alert released on Thursday with the Multi-State Information Sharing and Analysis Centre (MS-ISAC), the agency said:

This allowed the threat actor to successfully authenticate to an internal virtual private network (VPN) access point. The threat actor connected to the [virtual machine] through the victim’s VPN with the intent to blend in with legitimate traffic to evade detection.

A security vulnerability led to the leakage of sensitive data, including host and user information, as well as metadata. Once these confidential documents appeared for sale on a dark web brokerage site, the breach became publicly known.

The US State Govt agencies conducted additional investigations and discovered that the records were accessed without authorisation. This happened because of a hacked account that belonged to a former employee.

Sensitive data remains unaffected despite the compromise of US State Govt former employee credentials

The administrator account, which allowed connectivity to a virtualized SharePoint server, enabled attackers to get additional credentials stored on the server. These credentials gave administrator access to the on-premises network and the Microsoft Entra ID (Active Directory).

The threat actor seamlessly used an open-source programme to do LDAP queries on the domain controller, as mentioned by the agency. They aimed to collect information on users, hosts, and trust relationships. The attacker then listed the text files with the information he had extracted for sale on the dark web.

Promptly, the administrator shut down both virtual servers and disabled the account. Apart from that, the affected organisation quickly removed its administrator access and reset the credentials for the second compromised account.

The threat actors made no effort to move from the compromised on-premises network to the Azure environment, according to the investigation conclusions. It was also confirmed that they didn’t get unauthorised access to any critical systems.

CISA, the Cybersecurity and Infrastructure Security Agency, used its Untitled Goose Tool to find the logs. This free tool from CISA is designed to help network security teams in detecting potentially malicious activities in Microsoft Azure, Azure Active Directory, and Microsoft 365 environments.

It’s important to bring attention to the fact that none of the accounts had multi-factor authentication (MFA), highlighting the need to protect privileged accounts that have access to vital on-premises and cloud services. The concept of least privilege should be intentionally applied to enhance security.

Creating different administrator accounts helps for effectively dividing privilege and limiting potential risks in both on-premises and cloud systems. This not only improves security, but also reduces possible damage and prevents unauthorised access, highlighting the significance of strong account security measures.

Although the whole scope of the breach’s harm is unknown, it shows how important it is to have strong cybersecurity measures. This is particularly relevant when creating strict account management processes for resignations.

CISA and MS-ISAC advise actively testing and verifying your organization’s security programme in addition to applying mitigations to strengthen your security measures. This recommendation suggests that you audit your current security measures and evaluate their efficacy by comparing them to the threat behaviours listed in the MITRE ATT&CK for Enterprise architecture.

Help your colleagues in keeping security as their top priority and strengthen your human firewall. Start the fortification process now with our Phishing Tackle security awareness training, which comes with a two-week free trial.

Recent posts