A North Korean-linked APT group exploited a zero-day vulnerability in the Windows AppLocker driver (appid.sys) to gain kernel-level access to a target system
February 29, 2024
Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors
February 29, 2024

CISA: Admin Credentials of a Former Employee Leveraged to Compromise a State Government Organization

Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing & Analysis Center (MS-ISAC) conducted an incident response assessment of a state government organization’s network environment after documents with host and user information, including metadata, were posted on a dark web brokerage site. An analysis confirmed that an unknown threat actor compromised network administrator credentials through the account of a former employee—a technique commonly used by threat actors—and was able to successfully authenticate to an internal virtual private network (VPN) access point, navigate the victim’s on-premises environment, and perform various lightweight directory access protocol (LDAP) queries against a domain controller.

It is imperative that Japanese companies handle the Dormat account, as well as ensuring that no longer needed accounts are disabled, MFA should be enabled, and passwords should be stored securely.

Related posts

April 11, 2024

Threat Actors Are Actively Using Pupy RAT Malware to Attack Linux Systems

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *

Collaboration can mitigate the effects of Ransomware Attacks

Archives
Categories
Privacy Policy
RSS NCSC Threat Reports Feed

© 2021 CyberEnsō – Nihon Cyber Defence Co., Ltd. All Rights Reserved.