The Cybersecurity and Infrastructure Security Agency revealed that a U.S. state government agency had its network compromised due to a former employee's administrative credentials that had been obtained from previous data breaches, SecurityWeek reports.
Attackers leveraged the ex-employee's credentials for SharePoint and his workstation to infiltrate an internal VPN and conduct reconnaissance, according to CISA. Moreover, another employee's credentials exfiltrated from the SharePoint server have been utilized to achieve on-premises Active Directory and Azure AD authentication. Threat actors proceeded to steal the agency's documents, including its metadata and host and user details, through LDAP queries on the domain controller, with the stolen data later posted on a hacking forum. Further examination of the compromised user accounts revealed the lack of multi-factor authentication. Such a compromise has prompted CISA to urge organizations to strengthen account security by reviewing administrative accounts and removing those no longer being used, as well as limiting multiple admin account usage and adopting phishing-resistant MFA.
Attackers leveraged the ex-employee's credentials for SharePoint and his workstation to infiltrate an internal VPN and conduct reconnaissance, according to CISA. Moreover, another employee's credentials exfiltrated from the SharePoint server have been utilized to achieve on-premises Active Directory and Azure AD authentication. Threat actors proceeded to steal the agency's documents, including its metadata and host and user details, through LDAP queries on the domain controller, with the stolen data later posted on a hacking forum. Further examination of the compromised user accounts revealed the lack of multi-factor authentication. Such a compromise has prompted CISA to urge organizations to strengthen account security by reviewing administrative accounts and removing those no longer being used, as well as limiting multiple admin account usage and adopting phishing-resistant MFA.