Ghost accounts are increasingly being used in cyberattacks

Inactive or ghost accounts are a prime target for hackers

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

By failing to keep close tabs on “ghost” or inactive account credentials, organizations are leaving themselves open to cyberattacks according to new research fromSophos.

The cybersecurity firm’s Rapid Response team has published new findings related to how ghost accounts were used to give cybercriminals a way into corporate networks during two recent attacks.

The first attack, which impacted more than 100 systems at the targeted firm, used the Nefilm or Nemtyransomwareto find and exfiltrate hundreds of gigabytes of data. However, Sophos responders were able to trace the initial intrusion to an admin account with high level access that the attackers had compromised more than four weeks before encrypting the company’s systems with ransomware.

In this case the ghost account belonged to an employee who had passed away three months prior to the attack. However, the firm had kept the account active even after the employee’s passing because it was used for a number of services.

Ghost accounts

In the second, unrelated attack, Sophos responders discovered that cybercriminals had created a new user account and added it to the targeted organization’s domain admin group inActive Directory.

By using this new domain admin account, the attackers were able to delete approximately 150 virtual servers and encrypt the server backups usingMicrosoft Bitlockerwithout setting off any alerts.

Manager of Sophos Rapid Response Peter Mackenzie provided further insight in apress releaseon how organizations can prevent ghost accounts from being used against them, saying:

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“Staying on top of account credentials is basic, but critical cybersecurity hygiene. We see far too many incidents where accounts have been set up, often with considerable access rights, that are then forgotten about, sometimes for years. Such ‘ghost’ accounts are a prime target for attackers. If an organization really needs an account after someone has left the company, they should implement a service account and deny interactive logins to prevent any unwanted activity. Or, if they don’t need the account for anything else, disable it and carry out regular audits of Active Directory.”

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Washington state court systems taken offline following cyberattack

Is it still worth using Proton VPN Free?

7 myths about email security everyone should stop believing