The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has disclosed that the network environment of an unnamed state government organization was compromised through an administrator account associated with a former employee.
“This allowed the threat actor to successfully authenticate to an internal virtual private network (VPN) access point,” the agency stated in a joint advisory published Thursday, in collaboration with the Multi-State Information Sharing and Analysis Center (MS-ISAC).
“The threat actor connected to the [virtual machine] through the victim’s VPN with the intent to blend in with legitimate traffic to evade detection.”
It is suspected that the threat actor acquired the credentials following a separate data breach, as the credentials were found in publicly available channels containing leaked account information.
The admin account, which had access to a virtualized SharePoint server, also allowed the attackers to access another set of credentials stored in the server, which had administrative privileges to both the on-premises network and the Azure Active Directory (formerly known as Microsoft Entra ID).
This further enabled them to explore the victim’s on-premises environment and execute various lightweight directory access protocol (LDAP) queries against a domain controller. The perpetrators behind the malicious activity are currently unidentified.
A thorough investigation into the incident has found no evidence that the adversary moved laterally from the on-premises environment to the Azure cloud infrastructure.
The attackers ultimately gained access to host and user information and posted the data on the dark web for potential financial gain, prompting the organization to reset passwords for all users, disable the administrator account, and revoke the elevated privileges for the second account.
It is noteworthy that neither of the two accounts had multi-factor authentication (MFA) enabled, emphasizing the importance of securing privileged accounts that provide access to critical systems. It is also recommended to implement the principle of least privilege and create separate administrator accounts to segregate access to on-premises and cloud environments.
The incident serves as a reminder that threat actors exploit valid accounts, including those of former employees that have not been properly removed from the Active Directory (AD), to gain unauthorized access to organizations.
“Unnecessary accounts, software, and services in the network create additional vectors for a threat actor to compromise,” the agencies stated.
“By default, in Azure AD all users can register and manage all aspects of applications they create. These default settings can enable a threat actor to access sensitive information and move laterally in the network. In addition, users who create an Azure AD automatically become the Global Administrator for that tenant. This could allow a threat actor to escalate privileges to execute malicious actions.”