AdvisoriesCISAAA24-046AFebruary 15, 2024
February 15, 2024
The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) conducted an incident response assessment after documents with sensitive information were leaked on a dark web site, revealing a compromise through a former employee's account. The investigation encompassed both on-premises and Azure environments, determining that the threat actor used compromised network administrator credentials to access the internal network but did not extend their activities to the Azure environment. The advisory aims to share the attackers' tactics, techniques, and procedures (TTPs) and recommends measures for defending against similar threats, emphasizing the risks associated with not promptly revoking access for former employees and the lack of multifactor authentication.
Threat actors continue to use Active Directory (AD) for reconnaissance within compromised networks, leveraging legitimate AD query tools and functionalities to map out the environment and identify valuable targets. This technique, often part of the initial stages of an attack, allows attackers to discreetly gather information on user accounts, network resources, and trust relationships without deploying external tools that could trigger security alerts. The sophistication and stealthiness of using AD's inherent reconnaissance features underscore organizations' need to implement robust monitoring and anomaly detection capabilities focused on AD activities. It highlights the importance of securing the network perimeter and ensuring that internal actions are scrutinized for signs of unauthorized access or abnormal behaviors, enhancing the ability to detect and mitigate threats before they escalate.
Be immediately notified of new advisories and associated security tests
