A government contractor was the victim of a malicious attack that resulted in the theft of sensitive information. An analyst’s subsequent investigation of sensitive systems led to the following discoveries: There was no indication of the data owner’s or user’s accounts being compromised.
No database activity outside of previous baselines was discovered.
All workstations and servers were fully patched for all known vulnerabilities at the time of the attack. It was likely not an insider threat, as all employees passed polygraph tests.
Given this scenario, which of the following is the MOST likely attack that occurred?
A. The attacker harvested the hashed credentials of an account within the database administrators group after dumping the memory of a compromised machine. With these credentials, the attacker was able to access the databasecontaining sensitive information directly.
B. An account, which belongs to an administrator of virtualization infrastructure, was compromised with a successful phishing attack. The attacker used these credentials to access the virtual machine manager and made a copy of the targetvirtual machine image. The attacker later accessed the image offline to obtain sensitive information.
C. A shared workstation was physically accessible in a common area of the contractor’s office space and was compromised by an attacker using a USB exploit, which resulted in gaining a local administrator account. Using the localadministrator credentials, the attacker was able to move laterally to the server hosting the database with sensitive information.
D. After successfully using a watering hole attack to deliver an exploit to a machine, which belongs to an employee of the contractor, an attacker gained access to a corporate laptop. With this access, the attacker then established a remotesession over a VPN connection with the server hosting the database of sensitive information.
How to PASS CAS-004 in First Attempt?FULL Printable PDF and Software. VALID exam to help you PASS. |
 |
I agree with Corona’s explanation.
I first thought D because I assumed the administrator in answer B would be considered a user so therefore the administrator’s account was not compromised. What I missed what the connection in D was to a server hosting a database but not the database. Administrator access to a database-hosting database does not necessarily grant access to the database.
The answer is C.
Why not B?
There was no indications of the data owners or users account being compromised…. So cannot be B cause administrators account got compromised with a phishing attack and use those credentials to access VMs which cant be true due the question statement.
Only answers I liked were C and B.
Corona sold me… B
B. An account, which belongs to an administrator of virtualization infrastructure, was compromised with a successful phishing attack. The attacker used these credentials to access the virtual machine manager and made a copy of the targetvirtual machine image. The attacker later accessed the image offline to obtain sensitive information.
This meets all question’s requirements:
– There was no indication of the data owner’s or user’s accounts being compromised.
Through virtualization infrastructure’s credential, you can grab the hole database VM and access system offline, with no need of data owner’s/user’s credentials.
– No database activity outside of previous baselines was discovered.
Offline cracking would not alter baselines.
– All workstations and servers were fully patched for all known vulnerabilities at the time of the attack. It was likely not an insider threat, as all employees passed polygraph tests.
There was no exploit to any systems, since they were patched.
D