CISA Warns of State Government Network Compromise Through Former Employee's Account

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has raised concerns over a recent cybersecurity incident involving a state government organization. According to a joint advisory published alongside the Multi-State Information Sharing and Analysis Center (MS-ISAC), the organization’s network environment was compromised via an administrator account belonging to a former employee.

The breach occurred when the threat actor successfully authenticated to an internal virtual private network (VPN) access point using the credentials of the former employee. The attacker then connected to a virtual machine through the VPN, intending to blend in with legitimate traffic to avoid detection.

The compromised admin account provided access to a virtualized SharePoint server, allowing the attackers to obtain another set of credentials stored within the server. These credentials granted administrative privileges to both the on-premises network and the Azure Active Directory (now known as Microsoft Entra ID).

While the investigation into the incident revealed no evidence of lateral movement to the Azure cloud infrastructure, the attackers accessed host and user information and posted it on the dark web for potential financial gain. As a precautionary measure, the organization reset passwords for all users, disabled the compromised administrator account, and revoked elevated privileges for the second account.

Notably, neither of the compromised accounts had multi-factor authentication (MFA) enabled, highlighting the importance of securing privileged accounts with additional layers of authentication. The advisory underscores the need for implementing the principle of least privilege and creating separate administrator accounts to segregate access to on-premises and cloud environments.

This incident serves as a reminder that threat actors often exploit valid accounts, including those of former employees, to gain unauthorized access to organizations. CISA and MS-ISAC urge organizations to review and remove unnecessary accounts, software, and services from their networks to reduce the risk of compromise.

Additionally, organizations utilizing Azure Active Directory are advised to review and adjust default settings to limit user privileges and prevent unauthorized access to sensitive information. Failure to address these security gaps could leave organizations vulnerable to further exploitation by malicious actors.