Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization

An unidentified threat actor compromised network administrator credentials of a former employee to access a state government organization's on-premises environment through a virtual private network (VPN). The actor used compromised accounts and executed LDAP queries to collect user and host information, which was later posted on a dark web brokerage site. Key Points: * Threat actors commonly exploit accounts of former employees to gain access to organizations. * The threat actor compromised a global domain administrator account, granting them administrative privileges on both on-premises and Azure environments. * The actor executed LDAP queries to collect detailed information about users, hosts, and trust relationships. * The actor authenticated to various services, including CIFS, for network discovery and file exploration. * The victim organization had not disabled the compromised employee's account promptly after their departure. * The victim organization took swift action to disable compromised accounts and remove administrator privileges after discovering the dark web posting. Mitigations: * Disable accounts of former employees immediately upon termination. * Implement multifactor authentication (MFA) for all administrative accounts. * Regularly audit and monitor active directory accounts for suspicious activity. * Implement network monitoring and detection tools to detect unauthorized access. * Conduct regular security assessments to identify and address vulnerabilities.