Bogus Account Creation as a Backdoor

The Network: A financial firm headquartered in the U.S. East Coast with several hundred servers and workstations.

The Expectation: Temporary staff are needed to handle a surge of work in the IT Department. Such “experts” can be brought on as needed basis for short periods of time and for specific tasks.

The Catch: Netsurion’s EventTracker detected the creation of a new account called hqbkp2. The naming convention follows the pattern for accounts used for backup. However, this account permits interactive login.

The Find: A contract employee hired by the IT Department and provided Administrator privileges had created this account to serve as a backdoor in case the account he had been provided was disabled or the password reset when his contract expired. This person wanted to maintain access to the network, potentially for nefarious reasons.

The Fix: Remove the account hqbkp2. Look for other administrative action performed by the contract employee for evidence of improper behavior.

The Lesson: Microsoft Active Directory is a favorite target for insider attacks. Organizations use Active Directory (AD) to provide authentication and authorization for employees, contractors, partners, and customers. Comprehensive monitoring and detection of AD actions is key to safeguarding sensitive data, maintaining compliance mandates, and quickly detecting any data leaks or breaches.