The why is sort of at the limits of my knowledge. I can tell you a ‘close enough’ what, though.
By default, Windows tries to install programs to the program files directory, but that requires admin, which triggers user account control. However, apps that do not require admin to install or run can still be installed to the users profile. Clicking cancel from a UAC prompt will just try to install the program locally instead of for all users.
My assumption is that many system administrators believed UAC was enough, or that programs installing locally (as in, just for that user) and not requiring admin were not a big deal.
To categorically prevent that, every computer would need to centrally controlled and managed, which might have been the case here, and the system configuration has to prevent all software that’s not pre-approved from running.
That’s possible too, but could be a pain to tightly manage. It was a privileged user that was spear phished though… the kind of trusted user who might be able to install software on their machine without additional approval.
Their systems are probably wildly outdated, a monstrous mix-and-match of tech, stuff like that. A private corporation is easier to lock down. With government they have to follow dozens of outdated laws and guidelines, don’t have the freedom private enterprise has.
Everybody hates the government, but that take is not applicable.
Reading the incident report -
A privileged user got spearphished into downloading a compromised system administration tool. After the compromised tool was detected by industry standard (and modern) intrusion detection software and removed, the backdoor it installed, which was not fixed, was (eventually) used to install a keylogger. Shortly thereafter, another privileged user had a keylogger installed. Afterward, the harvested credentials were used to create further compromises in their network and to move laterally throughout it.
The age of the equipment or software is not a factor when your admin accounts get compromised. The user that got compromised should have known better, but they literally failed one thing - double checking the veracity of the download website. They didn’t surrender credentials, or fall for any direct attack. It’s not really a government bad, private industry good sort of thing. Heck, if that had happened to a non-admin user, the attack wouldn’t have been possible.
“a state employee mistakenly downloaded a malware-laced tool from a spoofed website”
Why is any randomly downloaded software running on government computers to begin with? Why aren’t these systems and networks locked down better?
The why is sort of at the limits of my knowledge. I can tell you a ‘close enough’ what, though.
By default, Windows tries to install programs to the program files directory, but that requires admin, which triggers user account control. However, apps that do not require admin to install or run can still be installed to the users profile. Clicking cancel from a UAC prompt will just try to install the program locally instead of for all users.
My assumption is that many system administrators believed UAC was enough, or that programs installing locally (as in, just for that user) and not requiring admin were not a big deal.
To categorically prevent that, every computer would need to centrally controlled and managed, which might have been the case here, and the system configuration has to prevent all software that’s not pre-approved from running.
That’s possible too, but could be a pain to tightly manage. It was a privileged user that was spear phished though… the kind of trusted user who might be able to install software on their machine without additional approval.
Their systems are probably wildly outdated, a monstrous mix-and-match of tech, stuff like that. A private corporation is easier to lock down. With government they have to follow dozens of outdated laws and guidelines, don’t have the freedom private enterprise has.
Everybody hates the government, but that take is not applicable.
Reading the incident report -
A privileged user got spearphished into downloading a compromised system administration tool. After the compromised tool was detected by industry standard (and modern) intrusion detection software and removed, the backdoor it installed, which was not fixed, was (eventually) used to install a keylogger. Shortly thereafter, another privileged user had a keylogger installed. Afterward, the harvested credentials were used to create further compromises in their network and to move laterally throughout it.
The age of the equipment or software is not a factor when your admin accounts get compromised. The user that got compromised should have known better, but they literally failed one thing - double checking the veracity of the download website. They didn’t surrender credentials, or fall for any direct attack. It’s not really a government bad, private industry good sort of thing. Heck, if that had happened to a non-admin user, the attack wouldn’t have been possible.