Russian hackers exploited MFA and ‘PrintNightmare’ vulnerability in NGO breach, US says
A photo of different medicinal drugs, tablets and pills on blue background.
Missed a session at the Data Summit? View on demand here.
The FBI and CISA released a warning today that state-backed threat actors in Russia could penetrate a non-governmental organization (NGO) using exploits of multifactor authentication (MFA) defaults and the critical vulnerability known as “PrintNightmare” .
The cyber attack “is a prime example of why user account hygiene is so important and why security patches need to be implemented as soon as possible,” Mike Parkin, senior technical engineer at cyber-risk recovery company Vulcan Cyber, told VentureBeat in an email.
“This breach was based on both a vulnerable account that should have been completely disabled and an exploitable vulnerability in the target environment,” Parkin said.
Security Nightmare
“PrintNightmare” is a remote code execution vulnerability that compromised Microsoft’s Windows print spooler service. It was made public last summer and led to a series of patches by Microsoft.
According to today’s joint advisory from the FBI and the CISA (the federal Cybersecurity and Infrastructure Security Agency), Russian-backed threat actors have been observed using standard MFA protocols in conjunction with the “PrintNightmare” vulnerability. According to the FBI and CISA, the threat actors were able to access an NGO’s cloud and email accounts, move laterally in the organization’s network, and exfiltrate documents.
The advisory says the cyber attack targeting the NGO began as early as May 2021. The location of the NGO and the full time span in which the attack took place were not specified.
CISA referred questions to the FBI, who did not immediately respond to a request for those details.
The warning comes as Russia continues its unprovoked attack on Ukraine, including frequent cyber-attacks. CISA has previously warned of the possibility that cyberattacks from Russia could affect US targets in connection with the war in Ukraine.
On CISA’s separate “Shields Up” page, the agency continues to insist that “there are currently no specific or credible cyber threats to the US homeland” in connection with Russia’s actions in Ukraine.
Weak password, MFA standards
In the cyberattack on an NGO disclosed today by the FBI and CISA, the Russian threat actor used brute force to guess passwords to compromise the account credentials. The password, according to the advice, was simple and predictable.
The account with the NGO was also misconfigured, with default MFA protocols left in place, the FBI and CISA consulting firm said. This allowed the attacker to enroll a new device with Cisco’s Duo MFA solution and gain access to the NGO’s network, the advisory said.
While requiring multiple forms of authentication at login is widely seen as an effective cybersecurity measure, in this case the misconfiguration allowed MFA to be used as a key part of the attack.
“The victim account was unsubscribed from Duo due to a long period of inactivity, but was not disabled in Active Directory,” the FBI and CISA said. “Because Duo’s default configuration settings allow re-enrolling a new device for dormant accounts, the actors were able to enroll a new device for this account, meet the authentication requirements, and access the victim network.”
The Russian-backed attacker then abused “PrintNightmare” to escalate their rights to administrator; modified a domain controller file with MFA disabled; authenticated on the organization’s VPN; and made Remote Desktop Protocol (RDP) connections to Windows domain controllers.
“Using these compromised accounts without MFA being enforced, Russian state-sponsored cyber actors were able to access the victim’s cloud storage and email accounts laterally and access the content they wanted,” said the FBI and CISA advisory board.
The FBI-CISA advisory provides a number of recommended best practices and indicators of compromise that security teams can use.
growing threat
Ultimately, “the FBI and CISA recommends organizations stay aware of the threat posed by state-sponsored cyber actors abusing standard MFA protocols and exfiltrating sensitive information,” the advisory said.
In recent years, Russian threat actors have shown that they have “developed significant capabilities to circumvent MFA when poorly implemented, or managed in a way that allows attackers to compromise material parts of cloud identity supply chains,” said Aaron Turner, a vice president at AI-driven cybersecurity firm Vectra.
“This latest advisory shows that organizations that have implemented MFA as a ‘check the box’ compliance solution are seeing MFA vulnerability exploitation at scale,” Turner said in an email.
Going forward, you can “expect to see more of this type of attack vector,” said Bud Broomhead, CEO of IoT security provider Viakoo.
“Curses to CISA and FBI for informing and focusing organizations on what the most pressing cyber priorities are for organizations,” Broomhead said in an email. “All security teams are stretched, making the focus they provide extremely valuable.”
In light of this cyberattack by Russian threat actors, CISA Director Jen Easterly today reiterated the call for companies and government agencies to set up “shields” in the US. ensuring MFA is implemented securely,” Easterly said in a press release.
VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more
This post Russian hackers exploited MFA and ‘PrintNightmare’ vulnerability in NGO breach, US says
was original published at “https://venturebeat.com/2022/03/15/russian-hackers-exploited-mfa-and-printnightmare-vulnerability-in-ngo-breach-u-s-says/”
