Priya PatelTLDR:
Key Points:
- A threat actor compromised a state government organization using a former employee’s leaked admin credentials.
- The attacker gained access through a VPN, SharePoint server, and employee’s workstation, obtaining admin privileges but not compromising sensitive systems in the cloud.
In a recent incident, the Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing and Analysis Center (MS-ISAC) discovered that a state government organization was compromised by a threat actor leveraging a former employee’s admin credentials. The attacker gained access to the organization’s network through a VPN, SharePoint server, and employee’s workstation, performing reconnaissance and obtaining admin privileges. However, they did not breach sensitive systems in the cloud environment.
The motive behind the breach was financial gain, as the stolen documents were intended to be sold to other cybercriminals. The incident highlighted the importance of implementing stronger access controls, such as multi-factor authentication (MFA), to prevent unauthorized access. CISA and MS-ISAC recommended a robust user management program to promptly remove former employees from the network and purge their admin credentials from the Active Directory.
Overall, the incident serves as a reminder of the risks posed by compromised credentials and the importance of proactive cybersecurity measures to protect organizations from malicious threats.
