Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

FBI, CISA Warn of Russian Hackers Exploiting MFA and PrintNightmare Bug

FBI, CISA and Russian Hackers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
and the Federal Bureau of Investigation (FBI) have released a joint
advisory warning that Russia-backed threat actors hacked the
network of an unnamed non-governmental entity by exploiting a
combination of flaws.

“As early as May 2021, Russian state-sponsored cyber actors took
advantage of a misconfigured account set to default [multi-factor
authentication] protocols at a non-governmental organization (NGO),
allowing them to enroll a new device for MFA and access the victim
network,” the agencies said[1].

Automatic GitHub Backups

“The actors then exploited a critical Windows Print Spooler
vulnerability, ‘PrintNightmare’ (CVE-2021-34527[2]) to run arbitrary code
with system privileges.”

The attack was pulled off by gaining initial access to the
victim organization via compromised credentials – obtained by means
of a brute-force password guessing attack – and enrolling a new
device in the organization’s Duo MFA[3].

It’s also noteworthy that the breached account was un-enrolled
from Duo due to a long period of inactivity, but had not yet been
disabled in the NGO’s Active Directory, thereby allowing the
attackers to escalate their privileges using the PrintNightmare
flaw and disable the MFA service altogether.

“As Duo’s default configuration settings allow for the
re-enrollment of a new device for dormant accounts, the actors were
able to enroll a new device for this account, complete the
authentication requirements, and obtain access to the victim
network,” the agencies explained.

Prevent Data Breaches

Turning off MFA, in turn, allowed the state-sponsored actors to
authenticate to the NGO’s virtual private network (VPN) as
non-administrator users, connect to Windows domain controllers via
Remote Desktop Protocol (RDP), and obtain credentials for other
domain accounts.

In the final stage of the attack, the newly compromised accounts
were subsequently utilized to move laterally across the network to
siphon data from the organization’s cloud storage and email
accounts.

To mitigate such attacks, both CISA and FBI are recommending
organizations to enforce and review multi-factor authentication
configuration policies, disable inactive accounts in Active
Directory, and prioritize patching for known exploited flaws[4].

References

  1. ^
    said
    (www.cisa.gov)
  2. ^
    CVE-2021-34527
    (thehackernews.com)
  3. ^
    Duo
    MFA     (duo.com)
  4. ^
    known
    exploited flaws     (www.cisa.gov)

Read more