Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization

Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization

February 15, 2024 at 02:19PM

CISA and MS-ISAC conducted an incident response assessment revealing a threat actor gaining unauthorized access to a state government organization’s network environment. Moreover, the attacker compromised network administrator credentials through the account of a former employee, successfully accessing the organization’s internal and Azure environments. A Cybersecurity Advisory containing mitigation strategies and technical details has been released. For more information, refer to the full report.

From the meeting notes, the following key takeaways can be summarized:

1. The incident involved an unidentified threat actor who compromised network administrator credentials through the account of a former employee, gaining access to the internal virtual private network (VPN) and conducting various lightweight directory access protocol (LDAP) queries against a domain controller.

2. The threat actor’s activity, mapped to the MITRE ATT&CK for Enterprise framework, included tactics and techniques such as initial access through compromised domain accounts, persistence through external remote services, privilege escalation, credential access, discovery through LDAP queries, lateral movement, and collection of information from SharePoint.

3. Mitigations recommended by CISA and MS-ISAC include securing and monitoring administrator accounts, reducing the attack surface by removing unnecessary accounts, evaluating tenant settings in Azure, creating a forensically ready organization, assessing security configuration of Azure environment, implementing conditional access policies, resetting all passwords and establishing secure password policies, and validating security controls against the mapped threat behaviors.

4. Additionally, recommendations for vendors were provided, emphasizing secure by design principles, elimination of default passwords, and the incorporation of multifactor authentication (MFA) as a default feature in products.

5. Finally, the document emphasized the importance of testing and validating an organization’s security program against the threat behaviors outlined in the MITRE ATT&CK for Enterprise framework.

Please note that the above summary reflects the key insights drawn from the provided meeting notes.

Full Article