CISA (Cybersecurity and Infrastructure Security Agency) and MS-ISAC (Multi-State Information Sharing and Analysis Center) have jointly disclosed that an unknown organization has attacked a state government organization’s network environment.
As a result of this intrusion, the attacker has successfully exfiltrated sensitive data from the targeted network.CISA & MS-ISAC revealed that an unidentified threat actor hacked the state government organization’s environment & stole sensitive data.
Following a security breach, sensitive information such as host and user data, including metadata, was publicly disclosed on a dark web brokerage site. The breach was discovered when the documents containing the information were available for sale on the dark web.
The agencies have conducted additional analysis to conclude that the documents were obtained through unauthorized access to the system via a compromised account belonging to a former employee.
Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks .
As per the investigation reports, it was noted that the threat actors didn’t attempt to expand their reach from the compromised on-premises network to the Azure environment. Furthermore, it was also confirmed that they didn’t gain unauthorized access to any critical systems.
CISA utilized its Untitled Goose Tool to detect the logs; this free tool by CISA is known to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments.
According to the logs, the attacker used an unknown virtual machine (VM) to enter the victim’s system via IP addresses from their internal VPN range to avoid detection.
The attack was initiated using credentials from a former employee with access to two virtualized servers – SharePoint and a workstation.
The attacker acquired additional login credentials from SharePoint, granting them access to both on-premises and Azure AD systems.
Subsequently, the threat actor performed LDAP queries to gather user, host, and trust relationship data.
CISA and MS-ISAC recommend reviewing all current administrator accounts and implementing multifactor authentication to mitigate this risk.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
CISA has released a comprehensive cybersecurity advisory detailing how threat actors successfully compromised a U.S.…
Google has issued an urgent security update for its Chrome web browser to address three…
Cybersecurity professionals are facing an unprecedented acceleration in threat actor capabilities as the average breakout…
A sophisticated malware campaign has emerged in the npm ecosystem, utilizing an innovative steganographic technique…
Zloader, a sophisticated Zeus-based modular trojan that first emerged in 2015, has undergone a significant…
A sophisticated malware campaign has emerged that leverages fake online speed test applications to deploy…