A municipality failed to disable a former employee’s account and left it with extensive privileges. Attackers used the still-active account to explore online resources and initially caused low-impact disruptions. They then discovered they could change settings in the water utility and switch many controls off, creating risk to the water supply. Investigation found the activity traced to an account labeled “Greg from Auditing,” belonging to someone who had not worked for the city for many years. The account retained domain admin rights, SCADA operator access, and help desk functions. The former employee was not the attacker, but his work email had been used to sign up for other online accounts that may have been exposed through prior data leaks.
"Unfortunately, even though Greg was no longer around, his account was, and it retained extensive privileges, including domain admin rights, SCADA (Supervisory Control and Data Acquisition) operator access, and even the ability to perform help desk functions. It's unclear if someone from auditing ever needed this level of access, but a former employee definitely did not."
"A threat actor took a "leisurely tour" of the city's online resources and had started messing around with conference room projectors and other relatively harmless endpoints. Then they realized that they could change settings with the water utility where they switched many controls off, potentially endangering the water supply."
"When Beckwith investigated, she found that all of the mischief was performed by an account that belonged to "Greg from Auditing." There was just one problem. Greg hadn't worked for the city for many years."
"It wasn't Greg himself who hacked the network. But he had used his work email address to sign up for various online accounts, some of which may have been exposed in previous data leaks. She speculates the hackers saw an email address with a .gov in it and decided to try their luck with the leaked passwor"
#account-lifecycle-management #privileged-access #scada-security #water-utility-systems #incident-response
Read at theregister
Unable to calculate read time
Collection
[
|
...
]