Russian State-Sponsored Actors are Exploiting MFA and the PrintNightmare Vulnerability
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint cybersecurity advisory warning that Russian state-sponsored actors are exploiting default multi-factor authentication protocols and the PrintNightmare vulnerability to gain access to networks to steal sensitive data.
These tactics have been used by Russian state-sponsored cyber actors from as early as May 2021, when a non-governmental organization (NGO) was attacked using these tactics. The threat actors were able to gain access to the network by exploiting default multi-factor authentication protocols (Cisco’s Duo MFA) on an account. The threat actors then exploited the PrintNightmare vulnerability to execute code with system privileges and were able to move laterally to the NGO’s cloud and email accounts and exfiltrated documents. PrintNightmare is a critical remote code execution vulnerability (CVE-2021-34527) in the print spooler service of Microsoft Windows.
The attackers were able to enroll a new device in the NGO’s Duo MFA using compromised credentials, which were obtained in a brute force attack that guessed a simple, predictable password. The account had been unenrolled from Duo after a long period of inactivity but had not been disabled in Active Directory. In the default setting, Duo allows the re-enrollment of new devices for dormant accounts, which allowed the attackers to enroll a new device, complete the authentication requirements, and gain access to the network. The PrintNigthtmare vulnerability was then exploited and privileges were elevated to admin level.
The threat actors were able to change the configuration of Duo MFA to call localhost rather than the Duo server, which disabled multi-factor authentication for active domain accounts, as the default policy of Duo on Windows is to Fail open if the MFA server cannot be reached. Using compromised credentials without MFA enforced allowed the threat actors to move laterally to the NGO’s cloud environment and email accounts.
Russian state-sponsored actors are adept at exploiting poorly configured MFA systems to gain access to networks to steal sensitive data. These tactics can be used on other misconfigured MFA systems. These tactics do not depend on a victim using Cisco’s Duo MFA.
CISA and the FBI have provided a list of mitigations to prevent these tactics from succeeding. It is important to set strong, unique passwords for all accounts and passwords should not be stored on a system where an adversary may have access. Consider using a password manager. These solutions have strong password generators which can help to prevent users from setting vulnerable passwords. To make it harder for brute force attacks to succeed, organizations should implement time-out and lock-out features after a set number of failed login attempts.
The FBI and CISA say MFA should be enforced for all users, without exception. However, before implementing MFA, configuration policies should be reviewed to protect against fail open and re-enrollment scenarios. Inactive accounts in Active Directory and MFA systems should be disabled, network logs should be monitored for suspicious activity and unauthorized or unusual login attempts, and software and operating systems should be kept up to date, with patching prioritized to address known exploited vulnerabilities first.