The US Cybersecurity and Infrastructure Security Agency (CISA) and FBI have issued a joint security alert, urging organisations to immediately take steps to prevent Russian state-backed hackers from exploiting vulnerabilities in multifactor authentication (MFA) protocols and the Windows print spooler.
As per the advisory, Russian actors recently exploited MFA defaults and the critical ‘PrintNightmare‘ bug to compromise an unnamed NGO’s network and steal sensitive information.
They gained access to the NGO’s cloud and email accounts, moved laterally via the organisation’s network, and exfiltrated documents.
The hacking attempts started as early as May 2021, the advisory says, although it does not disclose details of where the NGO was located or the length of time the attack lasted.
Russian actors apparently gained initial access to the network via compromised credentials, then enrolled a new device in the organisation’s Duo MFA.
Using a brute-force password guessing attack, the hackers obtained the victim’s credentials, granting them access to an account with a simple and predictable password.
The victim’s account had been un-enrolled from Duo owing to a prolonged period of inactivity, but was not disabled in Active Directory.
The actors were able to add a new device to the account, satisfy the authentication requirements, and get access to the victim network – all allowed under Duo’s default configuration settings, even for inactive accounts.
The hackers then exploited the PrintNightmare vulnerability (CVE-2021-34527) to gain administrator privileges and turn off MFA.
PrintNightmare is a vulnerability in the Windows Print Spooler service, which provides printing functionality inside local networks. The vulnerability was disclosed in June last year and enabled attackers to take control of vulnerable systems remotely to run arbitrary code (install programmes, modify data, and create new accounts) through local privilege escalation.
After turning off MFA, the hackers authenticated to the NGO’s VPN as non-administrator users and connected to Windows domain controllers via Remote Desktop Protocol. Finally, they obtained credentials for other domain accounts, which they used to move laterally to the victim’s cloud storage and email accounts and access confidential content.
CISA and the FBI recommend that enterprises enable, enforce, and correctly set up MFA, as well as prioritise patching known exploited bugs to prevent such attacks.
The mitigations measures recommended by CISA include:
- Enforcing MFA for all users, without exception, and ensuring that it is set appropriately to prevent ‘fail open’ and re-enrollment scenarios
- Apply time-out and lock-out features
- Disable inactive accounts in MFA, active directory, etc.
- Update software with a focus on known exploitable flaws
- Regularly monitor network logs for unusual activity
- Apply security alerting policies
“Over the last several years, Russian state-sponsored cyber actors have been persistent in targeting U.S. cleared defence contractors to get at sensitive information,” said Rob Joyce, director of NSA Cybersecurity.
“Armed with insights like these, we can better detect and defend important assets together.”
FBI cyber division assistant director Bryan Vorndran said, “We encourage organisations who may have experienced this type of exploitation to report to the FBI and/or CISA and provide us with additional information so we can continue to deter and disrupt nation-state actors.”
“The FBI will not tolerate this type of criminal activity and we will use all of the tools in our toolbelt to combat this threat.”
