Russia State-Sponsored Hackers Used Misconfigured MFA to Breach NGORussia State-Sponsored Hackers Used Misconfigured MFA to Breach NGO
FBI and CISA warn of attack on multifactor authentication account to exploit "PrintNightmare" exploit.
March 16, 2022
Russian nation-state hackers last spring capitalized on a misconfigured Cisco Duo multifactor authentication (MFA) account at a nongovernment organization and created their own device, with MFA, to infiltrate the victim's network, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) warned this week in a joint advisory.
The attackers initially brute-forced their way to a set of user credentials that had been removed from the organization's MFA. They created a rogue account and then used it to exploit a known Windows Print Spooler vulnerability, aka PrintNightmare (CVE-2021-34527), to run their code using privileged user access and were able to access cloud and email accounts as a way to steal documents.
"Russian state-sponsored cyber actors gained initial access [TA0001] to the victim organization via compromised credentials [T1078] and enrolling a new device in the organization’s Duo MFA. The actors gained the credentials [TA0006] via brute-force password guessing attack [T1110.001], allowing them access to a victim account with a simple, predictable password. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network," the advisory says.
The FBI and CISA recommend reviewing MFA policies to prevent such a re-enrollment action, confirming that inactive accounts are disabled in Active Directory and MFA systems, and making sure all software is updated, patched, and not prone to known flaws.
About the Author(s)
You May Also Like
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Modernize your Security Operations with Human-Machine Intelligence
AI in Cybersecurity: Using artificial intelligence to mitigate emerging security risks
Managed Security and the 3rd Party Cyber Risk Opportunity Whitepaper