The US Cybersecurity and Infrastructure Security Agency (CISA) has revealed that the network environment of an unnamed state government organization was compromised via an administrator account belonging to a former employee.
“This allowed the threat actor to successfully authenticate to an internal virtual private network (VPN) access point,” the agency said in a joint advisory released Thursday with the Multi-State Information Sharing and Analysis Center ( MS-ISAC).
“The threat actor connected to [virtual machine] through the victim’s VPN with the intent to blend in with legitimate traffic to evade detection.”
The threat actor is suspected to have obtained the credentials following a separate data breach as the credentials appeared in publicly accessible channels containing leaked account information.
The administrator account, which had access to a virtualized SharePoint server, also gave the attackers access to another set of credentials stored on the server, which had administrative privileges on both the local network and Azure Active Directory (now called Microsoft Login ID ).
This also allowed it to explore the victim’s local environment and execute various Lightweight Directory Access Protocol (LDAP) queries against a domain controller. The attackers behind the malicious activity are currently unknown.
A deeper investigation into the incident revealed no evidence that the adversary moved laterally from the on-premises environment to the Azure cloud infrastructure.
The attackers eventually gained access to host and user information and posted the information on the dark web with likely financial gain, the bulletin noted, prompting the organization to reset passwords for all users, disable the administrator account and remove elevated privileges for the second account. .
It’s worth pointing out that neither account had multi-factor authentication (MFA) enabled, underscoring the need to secure privileged accounts that grant access to critical systems. We also recommend implementing the principle of least privilege and creating separate administrator accounts to segment access to on-premises and cloud environments.
This development is a sign that threat actors are exploiting valid accounts, including those belonging to former employees who have not been properly removed from Active Directory (AD), to gain unauthorized access to organizations.
“Unnecessary accounts, software, and services on the network create additional vectors for a threat actor to compromise,” the agencies said.
“By default, in Azure AD all users can register and manage all aspects of the applications they create. These default settings can allow a threat actor to access sensitive information and move laterally across the network. Additionally, users who create an Azure AD automatically becomes the global administrator for that tenant. This could allow a threat actor to escalate privileges to perform malicious actions.”