February 15, 2024

Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization

February 15, 2024

What we know so far

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) conducted an incident response assessment after documents with sensitive information were leaked on a dark web site, revealing a compromise through a former employee's account. The investigation encompassed both on-premises and Azure environments, determining that the threat actor used compromised network administrator credentials to access the internal network but did not extend their activities to the Azure environment. The advisory aims to share the attackers' tactics, techniques, and procedures (TTPs) and recommends measures for defending against similar threats, emphasizing the risks associated with not promptly revoking access for former employees and the lack of multifactor authentication.

Arrow Right

Schedule a test

Subscribe to advisory alerts

Be immediately notified of new advisories and associated security tests

More advisories