Compromise could have been avoided by applying only a few simple security measures...
The US Cybersecurity and Infrastructure Protection Agency (CISA), in collaboration with the Interstate Center for Analysis and Exchange of Information (MS-ISAC), found that unknown attackers gained access to one of the internal US government networks through an administrator account belonging to a former employee.
It is assumed that the attackers obtained the credentials after a separate data leak incident, since later these data were found in public channels with leaked information, in the public domain.
Using an administrator account that has access to the SharePoint virtual server, the attackers gained access to a different set of credentials with administrative privileges, both on the local network and in Azure Active Directory (now called Microsoft Entra ID). This gave hackers the opportunity to explore the victim's local environment and make various requests to the domain controller.
At the moment, the identity of the attackers has not been established. A detailed investigation found no evidence that the attackers moved from the on-premises environment to the Azure cloud infrastructure. However, they gained access to information about hosts and users, and then posted this data on the darknet, probably for financial gain.
As a result, the affected government organization took action: it reset the passwords of all users, disabled the former administrator's account, and removed elevated privileges for the second account.
It is noted that none of the accounts were protected by multi-factor authentication (MFA), which underlines the need for strong protection of privileged accounts that provide access to critical systems.
We also recommend applying the principle of least privilege and creating separate administrator accounts to separate access to on-premises and cloud environments. Of course, don't forget to disable or delete them when an employee leaves the company.
This event serves as a reminder that attackers can easily use valid employee accounts with elevated system privileges if they do not take care to protect them in advance. Such a compromise is extremely negative for private companies, but for government agencies it can turn out to be a disaster.
Unnecessary and redundant accounts, software, and services in the target company's network always create additional vectors for cyber attacks, and ignoring basic modern security measures such as multi — factor authentication invites hackers to the target network in plain text.
The US Cybersecurity and Infrastructure Protection Agency (CISA), in collaboration with the Interstate Center for Analysis and Exchange of Information (MS-ISAC), found that unknown attackers gained access to one of the internal US government networks through an administrator account belonging to a former employee.
It is assumed that the attackers obtained the credentials after a separate data leak incident, since later these data were found in public channels with leaked information, in the public domain.
Using an administrator account that has access to the SharePoint virtual server, the attackers gained access to a different set of credentials with administrative privileges, both on the local network and in Azure Active Directory (now called Microsoft Entra ID). This gave hackers the opportunity to explore the victim's local environment and make various requests to the domain controller.
At the moment, the identity of the attackers has not been established. A detailed investigation found no evidence that the attackers moved from the on-premises environment to the Azure cloud infrastructure. However, they gained access to information about hosts and users, and then posted this data on the darknet, probably for financial gain.
As a result, the affected government organization took action: it reset the passwords of all users, disabled the former administrator's account, and removed elevated privileges for the second account.
It is noted that none of the accounts were protected by multi-factor authentication (MFA), which underlines the need for strong protection of privileged accounts that provide access to critical systems.
We also recommend applying the principle of least privilege and creating separate administrator accounts to separate access to on-premises and cloud environments. Of course, don't forget to disable or delete them when an employee leaves the company.
This event serves as a reminder that attackers can easily use valid employee accounts with elevated system privileges if they do not take care to protect them in advance. Such a compromise is extremely negative for private companies, but for government agencies it can turn out to be a disaster.
Unnecessary and redundant accounts, software, and services in the target company's network always create additional vectors for cyber attacks, and ignoring basic modern security measures such as multi — factor authentication invites hackers to the target network in plain text.
