The American Cybersecurity Agency and Infrastructure Protection (CISA), in collaboration with the interstate center of analysis and exchange of information (MS-ISAC), has determined that unknown attackers gained access to one of the internal government networks of the United States through an administrator’s study record belonging to a former employee.
It is believed that the attackers obtained the accounting data after a separate incident of data leakage, as these data were later found in publicly available channels for information diving.
Using the administrator’s account, which had access to the SHARAREPOINT virtual server, the attackers targeted another set of accounting data with administrative privileges, both in the local network and Azure Active Directory (now known as Microsoft Entra Entra). This allowed them to explore the victim’s local environment and carry out various domain controller requests.
Currently, the identity of the attackers has not been established. A thorough investigation found no evidence of the attackers moving from the local environment to the Azure cloud infrastructure. However, they did gain access to information about hosts and users, which they then posted on the Darknet, presumably for financial gain.
In response, the affected government organization took several measures. They reset the passwords of all users, disabled the account of the former administrator, and revoked elevated privileges for the second account.
It is worth noting that none of the accounts were protected by multifactor authentication (MFA), highlighting the need for robust protection of privileged accounts that have access to critical systems.
Furthermore, it is recommended to apply the principle of least privilege and create separate administrator accounts to segregate access to the local and cloud environments. It is essential to disconnect or delete these accounts when an employee leaves the company.
This incident serves as a reminder that attackers can easily exploit the actual accounts of employees with elevated system privileges if proper protection is not in place. Such compromises are highly detrimental to private companies, but for government entities, they can be disastrous.
Having unnecessary and excessive accounts, software, and services on a target company’s network always creates additional vectors for cyber attacks. Ignoring basic modern protective measures, such as multifactor authentication, even in open text, invites hackers into the target network.