The Cybersecurity and Infrastructure Security Agency (CISA) has disclosed a significant breach within a state government organization’s network infrastructure, facilitated by an administrator account belonging to a former employee. This breach allowed threat actors to authenticate to an internal VPN access point, enabling them to blend in with legitimate traffic and evade detection while accessing the network environment.
Suspicions arise that the threat actor obtained the credentials through a separate data breach, as the compromised credentials appeared in publicly available channels containing leaked account information. With access to an admin account that also had privileges to a virtualized SharePoint server, the attackers further infiltrated the network, gaining access to additional credentials stored within the server, which granted administrative privileges to both on-premises and Azure Active Directory environments.
While the investigation revealed no lateral movement from the on-premises environment to the Azure cloud infrastructure, the attackers were able to access host and user information, posting it on the dark web for potential financial gain. To mitigate further risks, the organization took immediate action, resetting passwords for all users, disabling the compromised administrator account, and revoking elevated privileges for the second account. However, the absence of multi-factor authentication (MFA) for both accounts underscores the critical need for securing privileged access and implementing least privilege principles to limit unauthorized access to critical systems.
