Response to an Unknown Threat Actor Who Leveraged a Compromised Account to Access State Government Organization

In response to the recently published CISA Advisory (AA24-046A) that disseminates Tactics, Techniques, Procedures (TTPs) and mitigations associated with a recent incident response assessment of a state government organization’s network, AttackIQ recommends that customers take the following testing actions in alignment with this recently observed activity. Read More

On February 15, 2024, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released a Cybersecurity Advisory (CSA) providing Tactics, Techniques, Procedures (TTPs), and mitigations associated with a recent incident response assessment of a state government organization’s network. CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC) engaged in incident response activities due to certain documents pertaining to the state government organization being discovered on the dark web. The incident response carried out confirmed that an unknown threat actor managed to obtain compromised administrator credentials using an account of a former employee whose account was still active. The threat actor was able to successfully authenticate to an internal VPN and perform reconnaissance against an on-prem domain controller via LDAP queries.

Although details of the incident as well as technical procedural level details and behaviors are limited, the following AttackIQ scenario recommendations offer a starting point for further testing.

Discovery

  • The LDAP queries are believed to be carried out using AdFind, a popular choice among threat actors. The Account Discovery: Domain Account (T1087.002), Remote System Discovery (T1018), and Domain Trust Discovery (T1482) techniques were used to execute LDAP queries of Active Directory and to collect information regarding hosts, users, and trust relationships into text files, which were later found on the dark web.
  • The AttackIQ Active Directory Discovery using AdFind scenario is an effective way to emulate these known discovery behaviors quickly and easily, as it mimics the LDAP queries executed with AdFind as well as the collection and generation of results that could later be exfiltrated and posted to the dark web.

Lateral Movement

  • The Remote Services (T1021) technique was used by the threat actor to connect from an unknown VM and attempt to authenticate to multiple services using compromised credentials.
  • Although contextual details regarding which services were used by the threat actor, the AttackIQ Remote Service Connection Attack scenario can be used to emulate this behavior by connecting to a known service either on a standard or non-standard port.

Detection and Mitigation Opportunities

Given the limited contextual details of the techniques observed by this unknown threat actor, AttackIQ recommends reviewing CISA’s guidance.

  1. Review CISA’s Mitigation and Recommendations:

CISA has provided a considerable number of mitigation and general recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing these recommendations.

Wrap-up

In summary, the recommended steps as described in this post are a good starting point for evaluating the effectiveness of your security personnel, processes and controls against these and similar threats. With data generated from continuous testing and use of these AttackIQ scenarios, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness.

AttackIQ stands at the ready to help security teams implement this assessment template and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Vanguard.