February 16, 2024 at 10:03AM
A threat actor gained access to a US government organization’s network using compromised credentials from a former employee’s administrative account, enabling reconnaissance and data theft. CISA advises organizations to review administrative accounts, implement MFA, and maintain robust security measures to prevent similar incidents.
Key takeaways from the meeting notes are as follows:
– A threat actor gained access to a US government organization’s network using compromised credentials for a former employee’s administrative account.
– The attackers accessed an internal VPN, performed reconnaissance, and executed LDAP queries on a domain controller using the compromised credentials.
– The organization failed to remove the former employee’s account, facilitating unauthorized access and reconnaissance activities.
– The compromised credentials were obtained from a data breach and were publicly available in leaked account information channels.
– The attackers extracted credentials from a SharePoint server, gaining administrative privileges in both the on-premises Active Directory and Azure AD.
– Stolen information, including host and user details, was posted on a dark web forum, prompting an investigation.
– Immediate actions included disabling the compromised user account, taking two virtualized servers offline, changing credentials, and removing administrative privileges.
– Neither of the administrative accounts had multifactor authentication (MFA) enabled, thus highlighting a security vulnerability.
– The threat actor executed LDAP queries on the domain controller, posted resulting text files for sale on the dark web, and authenticated to various endpoints using the CIFS protocol.
– Recommendations for organizations include reviewing and removing unnecessary administrative accounts, implementing least privilege principles, employing phishing-resistant MFA, and maintaining robust asset management policies.
These takeaways provide a summary of the main points discussed in the meeting notes regarding the cybersecurity incident.