How an ex-employee’s leaked credentials led to a U.S. State Government breach  

A U.S. State Government organization’s network was recently compromised through a former employee’s administrator account. The organization itself is unnamed, but we know that the threat actor successfully authenticated into an internal virtual private network (VPN) access point using an ex-employee’s credentials. From there, they were able to access a virtual machine and blend in with legitimate traffic to evade detection, ultimately gaining further access to a second administrator account and sensitive data.   

The incident serves as a reminder of the risks associated with all user accounts, including those belonging to former employees that have not been properly removed from the Active Directory (AD). Regular review and removal of unnecessary accounts, software, and services are crucial to minimize potential attack vectors. 

Attack summary    

  • Who was targeted: U.S. State Government Department (as yet unnamed)  
  • Attack type: Account takeover  
  • Entry technique: Used stolen credentials to access a virtual machine via VPN 
  • Impact: Both host and user data were posted to the dark web  
  • Who was responsible: Unknown  

How did the attack happen?  

The cyber-attack began with a threat actor obtaining the credentials of a former employee that had been leaked and made available online. Using this account, the threat actor successfully authenticated to an internal VPN access point. Once connected to the VPN, the attacker accessed a virtual machine within the network. From here, the attacker’s goal was to blend in with legitimate traffic and avoid detection. 

The compromised VM provided the attacker with access to another set of credentials stored in a virtualized SharePoint server. These credentials had administrative privileges to both the on-premises network and the Azure Active Directory (now called Entra ID). With the additional set of credentials, the threat actor was able to explore the victim’s on-premises environment and execute lightweight directory access protocol (LDAP) queries against a domain controller. Neither of the compromised accounts had multi-factor authentication (MFA) enabled. 

The attackers ultimately gained access to host and user information, which they then posted on the dark web in the hope of selling. In response to the breach, the targeted organization took several steps to mitigate the damage. They reset passwords for all users, disabled the compromised administrator account, and removed elevated privileges for the second account. 

Darren James, Specops Senior Product Manager, explains: “This is another unfortunate example of how even admins aren’t immune from making the most basic of errors. As highlighted in our latest breached password research, many admins are still guilty of using default passwords, reusing passwords across multiple systems, and not enabling MFA. In fact, the top admin password we found on our breached lists was ‘admin’.  

“In this example it seems that once the VPN was compromised, it was simple for these threat actors to move across the internal Active Directory as well as Entra ID. We can only hope that the forced reset of all passwords (a necessity if a domain admin credential is compromised) is just the first step towards better securing their environment and that they implement stronger password policies, MFA for all users, and continuously scan for breached passwords in the future.” 

Specops analysis: What can we learn from the hack? 

1. The value of collaboration: The breach was discovered and reported by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in collaboration with the Multi-State Information Sharing and Analysis Center (MS-ISAC). This highlights the importance of information sharing and collaboration in addressing cybersecurity incidents. 

2. Attackers only need a foothold: The compromised administrator account had access to a virtualized SharePoint server, which further enabled the attackers to access another set of credentials with administrative privileges to both the on-premises network and the Azure Active Directory. This demonstrates the potential for attackers to exploit interconnected systems and gain broader access within an organization’s infrastructure. 

3. Cybercrime remains lucrative: The attackers posted the accessed information on the dark web for financial gain. This emphasizes the most common motivation behind cyber-attacks. 

4. Have an incident response plan: As a response to the breach, the organization took immediate actions to reset passwords, disable compromised accounts, and remove elevated privileges. While more could have been done to prevent the incident in the first place, this approach highlights the importance of incident response in minimizing the impact of a cyber-attack. 

5. Implement MFA: The incident underscores the need for organizations to implement MFA for all accounts, not just privileged ones. Although in this case, not even the privileged account was protected with MFA.  

6. Secure your Active Directory: The breach serves as a reminder for organizations to regularly review and remove unnecessary accounts, software, and services from their networks. This helps reduce potential attack vectors. 

Clear your Active Directory of stale accounts and breached passwords 

Can you be sure there are no stale or inactive accounts hiding within your Active Directory? An audit gives an ideal starting point to cleaning up your Active Directory by providing a snapshot of your user accounts and password-related vulnerabilities. You can run a read-only audit today with our free tool: Specops Password Auditor. You’ll get an interactive report that lists inactive user accounts, stale admin accounts, and more. 

This attack also highlights the value of being able to continuously scan your Active Directory for accounts using breached passwords. Specops Password Policy with Breached Password Protection runs daily checks of your Active Directory against our list of over 4 billion compromised passwords. It includes passwords from known leaks, our real-time attack monitoring system that monitors live brute force attacks, plus malware-stolen data from our human-led Threat Intelligence team.  

Interested in upgrading your access security? Get in touch and speak to a Specops expert today. 

(Last updated on February 21, 2024)

picture of author marcus white

Written by

Marcus White

Marcus is a Specops cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.

Back to Blog