U.S. State Government Network Hacked Via Former Employee Account

CISA (Cybersecurity and Infrastructure Security Agency) and MS-ISAC (Multi-State Information Sharing and Analysis Center) have jointly disclosed that an unknown organization has attacked a state government organization’s network environment. 

As a result of this intrusion, the attacker has successfully exfiltrated sensitive data from the targeted network.CISA & MS-ISAC revealed that an unidentified threat actor hacked the state government organization’s environment & stole sensitive data.

Following a security breach, sensitive information such as host and user data, including metadata, was publicly disclosed on a dark web brokerage site. The breach was discovered when the documents containing the information were available for sale on the dark web.

The agencies have conducted additional analysis to conclude that the documents were obtained through unauthorized access to the system via a compromised account belonging to a former employee.

Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks .

Threat Actor Activity

As per the investigation reports, it was noted that the threat actors didn’t attempt to expand their reach from the compromised on-premises network to the Azure environment. Furthermore, it was also confirmed that they didn’t gain unauthorized access to any critical systems.

CISA utilized its Untitled Goose Tool to detect the logs; this free tool by CISA is known to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments.

According to the logs, the attacker used an unknown virtual machine (VM) to enter the victim’s system via IP addresses from their internal VPN range to avoid detection. 

The attack was initiated using credentials from a former employee with access to two virtualized servers – SharePoint and a workstation.

The attacker acquired additional login credentials from SharePoint, granting them access to both on-premises and Azure AD systems.

Subsequently, the threat actor performed LDAP queries to gather user, host, and trust relationship data.

CISA and MS-ISAC recommend reviewing all current administrator accounts and implementing multifactor authentication to mitigate this risk.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.