A recent ransomware attack highlight the dangers of extraneous accounts sitting on your network – particularly those belonging to former employees.
Standard cyber hygiene calls for the purging of employees’ credentials accounts from a corporate network once they quit or are fired from their position. And on those occasions in which an employee dies, that same practice should apply. But according to a blog post this week from Sophos, attackers from the Nefilim ransomware gang recently infiltrated an unnamed company in part by compromising the admin account of a deceased employee who had passed away three months earlier.
According to Sophos, the Nefilim attackers exploited a vulnerability in Citrix software in order to hijack the deceased individual’s admin account. They then used the Mimikatz post-exploitation tool to swipe the credentials of an even higher-privileged domain admin account. Leveraging these privileges, the attackers then exfiltrated hundreds of GB worth of data, and then as a final flourish unleashed the ransomware, impacting more than 100 systems.
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.