The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI on Tuesday warned organizations that Russian state-sponsored threat actors have gained access to networks and systems by exploiting default multi-factor authentication (MFA) protocols and a Windows vulnerability known as PrintNightmare.
According to the agencies, the unnamed threat group targeted an NGO in as early as May 2021, leveraging a misconfigured account set to default MFA protocols to access the victim’s network.
The attacker then exploited the PrintNightmare flaw (CVE-2021-34527) to execute arbitrary code with elevated privileges. The vulnerability has been exploited by various threat actors, with the first attacks apparently starting before Microsoft managed to release a patch in the summer of 2021. Shortly after news of the attacks emerged, CISA instructed all federal agencies to immediately take action to address the security flaw.
In the attacks described in the latest advisory from CISA and the FBI, the threat actor mainly abused legitimate Windows utilities that were already present on the compromised systems.
The goal of the hackers was apparently to obtain documents from cloud storage and email accounts.
According to the advisory, the threat actor gained initial access to the victim organization using compromised credentials that were obtained through a brute-force attack.
“The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.
Using the compromised account, Russian state-sponsored cyber actors performed privilege escalation via exploitation of the “PrintNightmare” vulnerability (CVE-2021-34527) to obtain administrator privileges. The actors also modified a domain controller file, c:windowssystem32driversetchosts, redirecting Duo MFA calls to localhost instead of the Duo server. This change prevented the MFA service from contacting its server to validate MFA login—this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to “Fail open” if the MFA server is unreachable. Note: “fail open” can happen to any MFA implementation and is not exclusive to Duo.
After effectively disabling MFA, Russian state-sponsored cyber actors were able to successfully authenticate to the victim’s virtual private network (VPN) as non-administrator users and make Remote Desktop Protocol (RDP) connections to Windows domain controllers. The actors ran commands to obtain credentials for additional domain accounts; then using the method described in the previous paragraph, changed the MFA configuration file and bypassed MFA for these newly compromised accounts.”
CISA and the FBI released the joint advisory to provide indicators of compromise (IoCs), as well as recommendations for preventing intrusions, with a focus on MFA configurations.
CISA and other US government agencies have released several advisories and alerts this year over the threat posed by Russia in cyberspace.
Related: Microsoft Takes Another Stab at PrintNightmare Security Fix
Related: Microsoft Confirms (Yet Another) PrintNightmare Flaw as Ransomware Actors Pounce
Related: CISA Warns Critical Infrastructure Organizations of Foreign Influence Operations