Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

US Warns About Russian Attacks Exploiting MFA Protocols, PrintNightmare Flaw

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI on Tuesday warned organizations that Russian state-sponsored threat actors have gained access to networks and systems by exploiting default multi-factor authentication (MFA) protocols and a Windows vulnerability known as PrintNightmare.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI on Tuesday warned organizations that Russian state-sponsored threat actors have gained access to networks and systems by exploiting default multi-factor authentication (MFA) protocols and a Windows vulnerability known as PrintNightmare.

According to the agencies, the unnamed threat group targeted an NGO in as early as May 2021, leveraging a misconfigured account set to default MFA protocols to access the victim’s network.

The attacker then exploited the PrintNightmare flaw (CVE-2021-34527) to execute arbitrary code with elevated privileges. The vulnerability has been exploited by various threat actors, with the first attacks apparently starting before Microsoft managed to release a patch in the summer of 2021. Shortly after news of the attacks emerged, CISA instructed all federal agencies to immediately take action to address the security flaw.

In the attacks described in the latest advisory from CISA and the FBI, the threat actor mainly abused legitimate Windows utilities that were already present on the compromised systems.

The goal of the hackers was apparently to obtain documents from cloud storage and email accounts.

According to the advisory, the threat actor gained initial access to the victim organization using compromised credentials that were obtained through a brute-force attack.

“The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.


Using the compromised account, Russian state-sponsored cyber actors performed privilege escalation via exploitation of the “PrintNightmare” vulnerability (CVE-2021-34527) to obtain administrator privileges. The actors also modified a domain controller file, c:windowssystem32driversetchosts, redirecting Duo MFA calls to localhost instead of the Duo server. This change prevented the MFA service from contacting its server to validate MFA login—this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to “Fail open” if the MFA server is unreachable. Note: “fail open” can happen to any MFA implementation and is not exclusive to Duo.

Advertisement. Scroll to continue reading.


After effectively disabling MFA, Russian state-sponsored cyber actors were able to successfully authenticate to the victim’s virtual private network (VPN) as non-administrator users and make Remote Desktop Protocol (RDP) connections to Windows domain controllers. The actors ran commands to obtain credentials for additional domain accounts; then using the method described in the previous paragraph, changed the MFA configuration file and bypassed MFA for these newly compromised accounts.”

CISA and the FBI released the joint advisory to provide indicators of compromise (IoCs), as well as recommendations for preventing intrusions, with a focus on MFA configurations.

CISA and other US government agencies have released several advisories and alerts this year over the threat posed by Russia in cyberspace.

Related: Microsoft Takes Another Stab at PrintNightmare Security Fix

Related: Microsoft Confirms (Yet Another) PrintNightmare Flaw as Ransomware Actors Pounce

Related: CISA Warns Critical Infrastructure Organizations of Foreign Influence Operations

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...