Russia State-Sponsored Hackers Used Misconfigured MFA to Breach NGO
FBI and CISA warn of attack on multifactor authentication account to exploit "PrintNightmare" exploit.
Russian nation-state hackers last spring capitalized on a misconfigured Cisco Duo multifactor authentication (MFA) account at a nongovernment organization and created their own device, with MFA, to infiltrate the victim's network, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) warned this week in a joint advisory.
The attackers initially brute-forced their way to a set of user credentials that had been removed from the organization's MFA. They created a rogue account and then used it to exploit a known Windows Print Spooler vulnerability, aka PrintNightmare (CVE-2021-34527), to run their code using privileged user access and were able to access cloud and email accounts as a way to steal documents.
"Russian state-sponsored cyber actors gained initial access [TA0001] to the victim organization via compromised credentials [T1078] and enrolling a new device in the organization’s Duo MFA. The actors gained the credentials [TA0006] via brute-force password guessing attack [T1110.001], allowing them access to a victim account with a simple, predictable password. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network," the advisory says.
The FBI and CISA recommend reviewing MFA policies to prevent such a re-enrollment action, confirming that inactive accounts are disabled in Active Directory and MFA systems, and making sure all software is updated, patched, and not prone to known flaws.
About the Author(s)
You May Also Like
Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024Why Effective Asset Management is Critical to Enterprise Cybersecurity
May 21, 2024Finding Your Way on the Path to Zero Trust
May 22, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024