A real story about US Government agency hacked via ex-employee's Admin credentials

A security incident involving an unnamed U.S. government organization has been  reported by the Cybersecurity and Infrastructure Security Agency (CISA).

The breach was executed via by exploiting the still active credentials of a former employee's high privilege administrative account. The organization neglected to deactivate the former employee's account, thus providing the attacker a foothold for reconnaissance and discovery operations within the network.

The credentials were reportedly sourced from a separate data breach and discovered within publicly accessible databases of leaked account information, indicating recycling of passwords and not using MFA.

The lapse in offboarding discipline allowed the attacker to:

• infiltrate an internal VPN,
• conduct reconnaissance within the on-premises environment,
• execute LDAP queries against a domain controller.
• accessed SharePoint
• accessed the former employee’s workstation

By extracting additional credentials from the SharePoint server, the attacker managed to authenticate to both the on-premises Active Directory and Azure AD, ultimately achieving administrative privileges.

The breach came to light when stolen documents, including those with host and user information along with metadata, were found posted on a dark web forum, prompting an investigation by the victim organization. The compromised user account was finally disabled, the affected servers were taken offline, and the credentials a the second compromised account were changed and stripped of administrative rights.