A company grappling with a Nefilim ransomware incident reached out to the security solution provider Sophos for assistance. The Sophos Rapid Response team immediately set out to resolve the incident, according to a Sophos News article.
While investigating how the attack occurred, they found that a bad actor had commandeered an admin account a full month before launching the ransomware campaign. The admin account happened to belong to someone who died a few months before the hacker put their plan into motion.
This is one example of how a “ghost” account can lead to a major cybersecurity incident. Whether the user in question passed away or moved on to another organization, it’s common for businesses to retain old accounts.
In the case of the Sophos customer, the company continued to use the account at times for some services, but many companies allow accounts to go completely stale. These accounts end up being not just a waste of storage space but also a potential gateway for hackers trying to infiltrate corporate networks.
What are ghost accounts?
A ghost account (a.k.a., ghost user) is an inactive account that still has access to your IT network and systems, according to the Security Boulevard article, “‘Ghost Users’ and Non-Expiring Passwords a Major Security Issue for Most Businesses.” This can happen when someone leaves the company or passes away, and the IT team forgets to shut down their account.
These accounts sit around collecting dust and taking up database space. This sort of oversight is far from rare: As of 2020, over 10 percent of Azure Active Directory user accounts were inactive based on their last log-on time or password change, according to Microsoft. Additionally, in a 2021 analysis of the financial services industry, the cybersecurity solution provider Varonis found that approximately 40 percent of organizations had upwards of 10,000 ghost accounts.
Why are inactive accounts a security risk?
Dormant accounts create prime opportunities for cybercriminals to access your data and sneak around your network undetected for an extended period, according to Security Boulevard. It’s similar to the trope of characters stealing uniforms to traverse an enemy base unnoticed (e.g., when Luke Skywalker and Han Solo disguise themselves as stormtroopers in “Star Wars”).
There are plenty of examples of criminals using this trick to cause significant damage. For instance, the Colonial Pipeline attack started with a bad actor hacking an inactive VPN account to access the network, according to the TechHQ article, “Inactive user accounts pose security threats for organizations.”
How to stop stale accounts from leading to cyberattacks
Knowing that ghost accounts can come back to haunt you in a catastrophic way, how can you minimize security risks related to inactive users? There are a few steps you can take to avoid breaches stemming from stale accounts, according to Sophos:
- Review access permissions. Don’t give end users access to more than the resources they need to do their jobs.
- Implement multi-factor authentication (MFA) for all end users.
- Routinely audit Active Directory and shut down stale accounts.
- Make disabling user accounts part of the offboarding process.
- Implement advanced cybersecurity solutions to combat ransomware, such as extended detection and response (XDR) and incident response services.
If you’d like to learn more about how to lower your security risk level, our trusted advisors work with various leading cybersecurity solution providers in our partner network. We can help you identify the best products and services for your business based on your needs and goals. For details, give us a call at 877-599-3999 or email firstname.lastname@example.org.