You can now find Cyber Kendra on Google News!

US State Government Network Suffers Data Breach Through Former Employee’s Account

US State network breached

A recent cybersecurity advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) revealed that a state government organization fell victim to a data breach through a former employee’s compromised account.

According to the analysis, an unnamed threat actor was able to gain access to the organization's network by using the credentials of a former employee. The employee's account should have been disabled when they left the organization, but it remained active. The threat actor was then able to use this account to connect to the internal virtual private network (VPN) and conduct reconnaissance activities.

The threat actor was able to gather information on users, hosts, and trust relationships within the organization's Active Directory through LDAP queries. The information obtained was then posted for sale on a dark web marketplace.

While the initial compromise happened on the organization's on-premises systems, the state government also utilizes Microsoft's Azure cloud platform which contains sensitive systems and data. Fortunately, the investigation found no evidence that the threat actor moved laterally from the on-premises network into Azure.

The cybersecurity advisory outlined several security lapses that enabled the attack:

  • Failure to disable a former employee's account
  • Lack of multifactor authentication on administrator accounts
  • Storage of administrator credentials on servers
  • Overly permissive Azure AD tenant settings

To prevent similar attacks, the advisory provided mitigation strategies focused on protecting and monitoring administrator accounts, reducing the attack surface, creating a "forensically ready" security posture, assessing cloud configurations, and resetting passwords.

ACTIONS TO TAKE
  1. Continuously remove and disable accounts and groups from the enterprise that are no longer needed, especially privileged accounts.
  2. Enable and enforce multifactor authentication with strong passwords.
  3. Store credentials in a secure manner, such as with a credential manager, vault, or other privileged account management solution.

Specific technical details on the threat actor's tactics, techniques and procedures were also analyzed in terms of the MITRE ATT&CK framework. This information will help other organizations configure their security controls to detect and prevent similar attacks.

While the exact damage from this breach remains unclear, it underscores the importance of sound cybersecurity practices - especially stringent account management procedures for departing employees.

State and local government organizations face increasing cyber threats as they provide critical infrastructure and contain highly sensitive information. Adopting the enhanced security controls recommended in this advisory can help reduce their risk and prevent additional high-profile breaches in the public sector.

You can read the full technical analysis and recommendations in the CISA and MS-ISAC joint cybersecurity advisory [PDF]. 

Organizations in all sectors are encouraged to review the mitigation strategies and validate their controls against the identified threat behaviours.

Post a Comment