The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently disclosed a concerning security breach within the network of an undisclosed state government organization. The compromised entry point turned out to be an administrator account belonging to a former employee, as detailed in a joint advisory from CISA and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
According to the advisory, the threat actor exhibited a high level of sophistication by successfully authenticating to an internal virtual private network (VPN) access point using the credentials of the ex-employee. This strategic move allowed the hacker to seamlessly connect to a virtual machine through the victim’s VPN, all with the intention of camouflaging their activities within the legitimate network traffic, thereby avoiding detection.
Investigations suggest that the threat actor likely obtained these credentials from a separate data breach, given that the compromised information was found in publicly accessible channels containing leaked account details. The compromised admin account not only provided access to a virtualized SharePoint server but also enabled the attackers to acquire another set of credentials stored on the server. These additional credentials held administrative privileges for both the on-premises network and the Azure Active Directory, now referred to as Microsoft Entra ID.
Also Read: CISA & FBI ISSUES ALERT ON PLAY RANSOMWARE’S GROWING THREAT
The identity of the perpetrators remains shrouded in mystery, and a thorough examination of the incident revealed no evidence of lateral movement from the on-premises environment to the Azure cloud infrastructure. However, the consequences of the breach were impactful, with the attackers gaining access to sensitive host and user information, subsequently putting this data up for sale on the dark web to reap financial gains.
In response to the breach, the targeted organization took decisive measures to mitigate further risks. This included a comprehensive password reset for all users, the deactivation of the compromised administrator account, and the removal of elevated privileges associated with the second account. The incident underscores the evolving and persistent threats faced by government entities, emphasizing the crucial need for robust cybersecurity measures to safeguard sensitive information and networks.