The exploitation of a single point-of-entry. A Windows machine with a weak machine-level password.
Reliance on the machine-level password, with no requirement for user-level authentication. The attacker did not have to prove they were an authorized user, knowledge of the one machine-level password was sufficient to execute the attack.
Unterminated direct-access protocols exposed on the internet. It was Team Viewer in this case – for another organization it could have been RDP or VNC. These direct-desktop-control protocols are open to attack when exposed publicly. Security teams must proxy them via a secure termination and authorization system.
Open access from the Windows machine to other operational components without any additional policy enforcement. The attacker should have had to prove that they were authorized to adjust the lye level, but in this case, mere access to the Windows machine was sufficient to let them make changes.
Device/machine passwords are part of the managed identity system, ensuring the passwords are always complex and difficult to guess.
Users must authenticate themselves before being granted any further access.
Direct access protocols are terminated on-site, with proxy access granted only to authorized users.
The principle of “the least amount of access for the least amount of time” – a core tenet of Zero Trust – ensures that access to a single entry point does not grant users the broad ability to access and make change systemwide.