The FBI and CISA have issued a joint cybersecurity advisory warning organisations of an attack by Russian state-sponsored hackers taking advantage of an NGO’s misconfigured account, enrolling their device for MFA and using PrintSpooler to take over the rest of their IT infrastructure. The intrusion is said to have happened as early as May 2021.
Multi-Factor Authentication is a critical security tool wherein your password is backed by another authentication method to ensure it’s you logging into your account. The inactive account didn’t have Multi-Factor Authentication (MFA) enabled due to inactivity, which allowed the threat actors to get their device registered for MFA in the first place.
Another hole in the security net was the use of Duo’s default configuration, which allows the re-enrollment of new devices for dormant accounts. Once the attackers had network access, they used PrintNightmare, a Windows vulnerability that enables an attacker to execute code with system-level privileges remotely to gain access to the rest of the NGO’s IT infrastructure.
In the News: DirectStorage API finally comes to PC
Kremlin’s continuing cyberwar
The threat actors could brute-force their way into an inactive account that had been un-enrolled from Duo to inactivity but wasn’t disabled in the active directory. After gaining access, the attackers could disable MFA by redirecting all Duo MFA calls to the localhost instead of the actual Duo server by changing a domain controller file.
Doing so allowed them to gain access to the NGO’s VPN as non-admin users and connect to the Windows domain controllers using RDP (Remote Desktop Protocol) and unleash PrintNightmare to take control of the rest of the network and gain access to credentials for other accounts.
The FBI and CISA have warned that these compromised accounts and without MFA enforced, the threat actors can move up the chain and gain access to cloud storage email accounts and possibly extract data.
The issued advisory also included the following mitigations for organisations.
- Enforce MFA and review configuration policies to protect against “fail open” and re-enrollment scenarios.
- Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems.
- Patch all systems. Prioritize patching for known exploited vulnerabilities.
In the News: Twitter reverts to the old timeline