While they go into detail describing the city of Dallas, ransomware, and the attacker (Royal) in question, they gloss over the most important element - the vector of attack.
Example: "Royal’s initial access utilized the basic service domain service account, connecting to a server." To 99 percent of their audience, this is gobblygook, and yet it is the most critical piece of information: How did this attack take place? Dallas CIO and CISO have both been quoted as saying the attackers used "stolen credentials." Piecing this together, I'm guessing some admin exercised less-than-good practices in creating some service account utilizing their credentials, which likely had far more privileges than whatever the service account needed to do. There are variations on that, but the credentials should not have been subject to pilfering (create distinct accounts) and the service account shouldn't have been able to grant the access it did (least privilege).
The Microsoft ecosystem just becomes an accelerant for this spark of vulnerability thanks to BATLOADER and Cobalt Strike. Homogeneity and excessive trust allowed one mistake to turn into pervasive access throughout the system. There is a requisite level of effort, policies, procedures, and controls (to ensure those policies and procedures) that doesn't seem to have happened. This is what drives me up a wall. We start throwing out all these fancy-sounding code names we've assigned to attackers and the malware they use, when the reality is the attack happened, not because some cyber Voldemort cast a spell, but because we skipped important steps. Why were those steps skipped? That's what the report should focus on. My guess is an honest evaluation will reveal poor communication and poor accountability that ultimately under-resourced or under-supervised these operations.
