CompTIA CASP+ (CAS-003) — Question 297
A government contractor was the victim of a malicious attack that resulted in the theft of sensitive information. An analyst's subsequent investigation of sensitive systems led to the following discoveries:
✑ There was no indication of the data owner's or user's accounts being compromised.
✑ No database activity outside of previous baselines was discovered.
✑ All workstations and servers were fully patched for all known vulnerabilities at the time of the attack.
✑ It was likely not an insider threat, as all employees passed polygraph tests.
Given this scenario, which of the following is the MOST likely attack that occurred?
Answer options
- A. The attacker harvested the hashed credentials of an account within the database administrators group after dumping the memory of a compromised machine. With these credentials, the attacker was able to access the database containing sensitive information directly.
- B. An account, which belongs to an administrator of virtualization infrastructure, was compromised with a successful phishing attack. The attacker used these credentials to access the virtual machine manager and made a copy of the target virtual machine image. The attacker later accessed the image offline to obtain sensitive information.
- C. A shared workstation was physically accessible in a common area of the contractor's office space and was compromised by an attacker using a USB exploit, which resulted in gaining a local administrator account. Using the local administrator credentials, the attacker was able to move laterally to the server hosting the database with sensitive information.
- D. After successfully using a watering hole attack to deliver an exploit to a machine, which belongs to an employee of the contractor, an attacker gained access to a corporate laptop. With this access, the attacker then established a remote session over a VPN connection with the server hosting the database of sensitive information.
Correct answer: B
Explanation
The correct answer is B because the evidence suggests that the attack was not an insider threat and involved phishing, which is a plausible way to compromise an administrator's account given the scenario. The other options suggest methods that would likely have left more traces of compromise or would not align with the findings of no account compromises and fully patched systems.