CISA (the Cybersecurity & Infrastructure Security Agency) has issued a cybersecurity advisory after the discovery of documents containing host and user information of a state government organization’s network environment—including metadata—on a dark web brokerage site.
An attacker managed to compromise network administrator credentials through the account of a former employee of the organization. The attacker managed to authenticate to an internal virtual private network (VPN) access point, further navigate the victim’s on-premises environment, and execute various lightweight directory access protocol (LDAP) queries against a domain controller.
CISA suspects that the account details fell in the hands of the attacker through a data breach. This would not have posed a problem if the account had been disabled when the employee left. But the account still had access with administrative privileges to two virtualized servers including SharePoint and the workstation.
The incident responders’ logs revealed the attacker first connected from an unknown virtual machine (VM) to the victim’s on-premises environment via internet protocol (IP) addresses within their internal VPN range.
On the SharePoint server, the attacker obtained global domain administrator credentials that were stored locally on the server. This account also provided the attacker with access to the on-premises Active Directory (AD) and Azure AD.
The attacker executed LDAP queries to collect user, host, and trust relationship information. The results of these queries are believed to have been among the information that was offered for sale.
When an employee leaves there may be several possible reasons not to immediately remove all their accounts. But you should at least remove their privileges as soon as possible and change the password.
The CISA advisory lists several points of advice about user accounts:
More general tips are:
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.