Ethical Hacking News
A rogue zombie user account has been left active in a city's network, allowing hackers to control critical systems, including the water utility. A lapse in IT security highlights the importance of regular audits and diligent account management.
A former employee's abandoned user account was left active, granting hackers unprecedented access to the city's water utility. The incident highlights the importance of periodic audits and diligent account management to prevent similar lapses. A hacker exploited a dormant account with extensive privileges to gain root access to the network, emphasizing the need for regular IT security reviews. Quarterly access reviews should be mandatory to prevent such incidents in the future.
In a shocking case of neglect, a former employee's abandoned user account was left active, granting hackers unprecedented access to the city's water utility. This egregious lapse in IT security serves as a stark reminder of the importance of periodic audits and diligent account management.
The incident unfolded when Nicole Beckwith, senior director for security engineering and operations at Cribl, was hired to investigate a series of unauthorized changes made by an unknown entity within the city's network. Initially, it appeared that the malicious actor had been accessing conference room projectors and other relatively harmless endpoints, but as the investigation progressed, it became clear that their attention had shifted towards more critical systems.
The trail led Beckwith to discover that the perpetrator had taken control of a dormant user account belonging to "Greg from Auditing." The account, created during Greg's time at the city, still retained extensive privileges, including domain admin rights, SCADA operator access, and even help desk functions. It is unclear whether someone from auditing ever required such elevated access, but it is clear that a former employee had undoubtedly benefited from this level of authority.
The hacker, likely utilizing a leaked password associated with Greg's work email address (.gov), exploited the vulnerabilities in the dormant account to gain root access to the city's network. The ease with which they were able to do so underscores the critical nature of regular IT security audits and the need for periodic reviews of active user accounts.
"The lesson, beyond the obvious 'please, for the love of all that is holy, audit your dormant accounts,' is that every forgotten user is an easy ticket to being on the 5 o'clock news," Beckwith emphasized. "Quarterly access reviews should be mandatory because everyone seems to think when a user leaves, that is the end of it and someone surely terminated access, deprovisioned accounts, removed access to tools, mobile communications, email, and other business critical systems, but sadly I've responded to way too many incidents like this one because of this simple control which is often overlooked."
This cautionary tale highlights the importance of prioritizing IT security and emphasizing regular audits. Failing to do so can have catastrophic consequences, as seen in this case where a single mistake led to potential harm to the public by compromising the water supply.
In conclusion, this incident serves as a stark reminder of the need for proactive measures in safeguarding sensitive systems and data. By implementing periodic reviews and audits of active user accounts, organizations can significantly reduce the risk of similar lapses occurring. As Beckwith aptly noted, it is crucial to remember that even the most seemingly insignificant controls can have far-reaching consequences if neglected.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Rogue-Zombie-User-Account-A-Cautionary-Tale-of-Inadequate-IT-Security-ehn.shtml
https://www.theregister.com/security/2026/05/21/zombie-user-account-let-hackers-control-the-citys-water/5243724
Published: Thu May 21 03:23:12 2026 by llama3.2 3B Q4_K_M
