U.S. CISA: hackers breached a state government organization

2 months ago AndyC

U.S. CISA: hackers breached a state government organization

Pierluigi Paganini
February 16, 2024

U.S. CISA revealed that threat actors breached an unnamed state government organization via an administrator account belonging to a former employee.

U.S. CISA: hackers breached a state government organization

U.S. CISA: hackers breached a state government organization

Pierluigi Paganini
February 16, 2024

U.S. CISA revealed that threat actors breached an unnamed state government organization via an administrator account belonging to a former employee.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that a threat actor gained access to an unnamed state government organization’s network environment via an administrator account belonging to a former employee.

CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC) published a joint Cybersecurity Advisory (CSA) to provide network defenders with the tactics, techniques, and procedures (TTPs) utilized by a threat actor.

The government experts conducted an incident response assessment of the state government organization after its documents were posted on the dark web. The threat actor compromised network administrator credentials through the account of a former employee that was used to successfully authenticate to an internal virtual private network (VPN) access point. Then the attackers made lateral movement and executed various lightweight directory access protocol (LDAP) queries against a domain controller. The government organization also hosts its sensitive data on an Azure environment which was not accessed by the attackers.

“The logs revealed the threat actor first connected from an unknown virtual machine (VM) to the victim’s on-premises environment via internet protocol (IP) addresses within their internal VPN range. CISA and MS-ISAC assessed that the threat actor connected to the VM through the victim’s VPN with the intent to blend in with legitimate traffic to evade detection.” reads the report published by CISA.

The threat actor likely obtained the employee’s account credentials from a third-party data breach.

The threat actor likely obtained the account credentials of a second user from the virtualized SharePoint server managed by the first user. Neither of the two administrative accounts had multifactor authentication (MFA) enabled.

CISA pointed out that the victim confirmed that the administrator credentials for the second user were stored locally on this server.

Access to the virtualized SharePoint server enabled threat actors to also acquire a separate set of credentials stored on the server, granting administrative privileges to both the on-premises network and Azure Active Directory.

The report includes a lot of interesting details about the threat actor’s activity along with mitigations in accordance with the Cross-Sector Cybersecurity Performance Goals (CPGs) established by CISA and the National Institute of Standards and Technology (NIST), which are recommended to all critical infrastructure entities and network defenders.

CISA did not attribute the attack to a specific threat actor.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , , ,

More Stories

Multiple Brocade SANnav SAN Management SW flaws allow device compromise

Multiple Brocade SANnav SAN Management SW flaws allow device compromise

2 hours ago AndyC
ICICI Bank exposed credit card data of 17000 customers

ICICI Bank exposed credit card data of 17000 customers

8 hours ago AndyC
Okta warns of unprecedented scale in credential stuffing attacks on online services

Okta warns of unprecedented scale in credential stuffing attacks on online services

14 hours ago AndyC
Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION

Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION

20 hours ago AndyC
Targeted operation against Ukraine exploited 7-year-old MS Office bug

Targeted operation against Ukraine exploited 7-year-old MS Office bug

20 hours ago AndyC
Weekly Update 397

Weekly Update 397

20 hours ago AndyC

You may have missed

Kaspersky boosts email security features after 77% of firms hit by cyber attacks

Kaspersky boosts email security features after 77% of firms hit by cyber attacks

2 hours ago AndyC
Multiple Brocade SANnav SAN Management SW flaws allow device compromise

Multiple Brocade SANnav SAN Management SW flaws allow device compromise

2 hours ago AndyC
Creating new opportunities with AI-driven automation

Creating new opportunities with AI-driven automation

2 hours ago AndyC
Barracuda report explores challenges in managing cyber risks

Barracuda report explores challenges in managing cyber risks

5 hours ago AndyC
Aqua Security launches SaaS cloud security platform in Australia

Aqua Security launches SaaS cloud security platform in Australia

5 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.