An unmonitored account belonging to a deceased employee allowed Nefilim to exfiltrate data and infiltrate systems for a month, researchers say. The attack was carried out in the middle of the night to avoid detection. The attackers were inside the victim s network for about one month before launching the ransomware itself. The company’s installed Citrix Storefront 7.15 CU3 was vulnerable at time of incident to a known critical security bug (CVE-2019-11634) and four high-severity issues.
Source: https://threatpost.com/nefilim-ransomware-ghost-account/163341/