February 16, 2024 at 03:03AM
The US CISA reported a state government network compromise due to a former employee’s admin account. The threat actor gained access via a virtual private network and obtained credentials from a separate breach. The incident highlighted the lack of multi-factor authentication and the need to secure privileged accounts. The attackers aimed for financial gain and prompted the organization to reset passwords and remove elevated privileges.
Key Takeaways from the Meeting Notes:
1. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) jointly revealed a data breach in an unnamed state government organization’s network environment.
2. The compromise was facilitated through an administrator account belonging to a former employee, which allowed the threat actor to access internal VPN and access sensitive information.
3. The threat actor obtained credentials from a separate data breach, leading to unauthorized access to a virtualized SharePoint server and administrative privileges in the on-premises network and Azure Active Directory.
4. The attackers accessed and posted host and user information on the dark web for potential financial gain, prompting the organization to reset passwords, disable the administrator account, and remove elevated privileges.
5. The incident highlights the importance of implementing multifactor authentication (MFA) for privileged accounts, the principle of least privilege, and the segregation of access to on-premises and cloud environments.
6. The agencies emphasized the risk posed by unnecessary accounts, software, and default settings in Azure AD, which can create additional vectors for a threat actor to compromise.
Please let me know if you need further clarification or additional details.