Russian actors are exploiting a known MFA bug to attack an organization


Third Party Risk Management, Application Security, Cyber ​​Warfare/Nation State Attacks

CISA, FBI alerts offer attack analysis, how to fix PrintNightmare vulnerability

Prajeet Nair (@prajeetspeaks) •
March 16, 2022

Russian state-sponsored threat actors are exploiting default multi-factor authentication protocols, as well as a known vulnerability, to illegally gain access to a non-governmental organization’s network, according to US government agencies.

See also: Live Webinar | Advocacy for managed endpoint detection and response

Bad actors took advantage of a misconfigured account, which was set to default MFA protocols, to gain access to the undisclosed victim’s network and move laterally into the organization’s cloud environment, a joint notice, released by the US Cybersecurity and Infrastructure Security Agency and the FBI on Tuesday. , said. It does not specify who owned the misconfigured account, but indicates that the NGO used Duo MFA from technology company Cisco.

The cyber actors then exploited a previously disclosed critical Windows print spooler vulnerability, called PrintNightmare, to execute arbitrary code with system privileges. The vulnerability is tracked as CVE-2021-34527.

In an attack that took place in May 2021, the malicious actors accessed the NGO’s cloud and email accounts for document exfiltration.

Attack analysis

The advisory states that the Russian state-sponsored cyber actors gained initial access to the victim organization via compromised credentials and enrolled a new device into the organization’s Duo MFA.

“The actors obtained the credentials via a brute force password guessing attack, allowing them to access a victim account with a simple and predictable password. The victim’s account had been unsubscribed of Duo due to a long period of inactivity but has not been deactivated in the Active Directory,” the notice reads.

Agencies claim that Duo’s default configuration settings allow new device re-enrollment, especially for inactive accounts, which led to attackers enrolling a new device for that account, performing authentication requirements and gaining access to the victim’s network.

Using this compromised account, adversaries were able to perform privilege escalation via exploiting the PrintNightmare vulnerability to gain administrator privileges, they say.

The actors also modified a domain controller file, which redirected Duo MFA calls to localhost instead of the Duo server. The advisory states that this prevented the MFA service from contacting its server to validate the MFA connection. This, in turn, disabled MFA authentication for active domain accounts, as Duo for Windows’ default policy is to “fail open” if the MFA server was unreachable.

After successfully disabling MFA, the cyber actors were able to authenticate the victim’s VPN as non-administrator users and establish Remote Desktop Protocol connections to Windows domain controllers.

According to the advisory, the actors ran commands to obtain credentials for additional domain accounts, modified the MFA configuration file as described above, and bypassed MFA for these newly compromised accounts. They “primarily used internal Windows utilities already present in the victim’s network to perform this activity,” the advisory states.

“By using these compromised accounts without MFA, the Russian state-sponsored cyber actors were able to laterally move to the victim’s cloud storage and email accounts and access desired content.”

PrintNightmare vulnerability exploited in an attack

Threat actors have exploited a previously disclosed vulnerability in the Windows Print Spooler service, which allows devices to communicate with printers and other printing features found in various versions of the Windows operating system. The flaw has a base CVSS rating of 8.8, which is close to a critical score of 9.

Microsoft said earlier that the bug was exploited in the wild (see: Microsoft releases “PrintNightmare” security update).

Despite warnings from Microsoft and other security researchers over the past few months, unpatched vulnerabilities in PrintNightmare continue to cause problems for Windows users. In July, CISA issued a directive asking federal agencies to immediately fix the flaws (see: CISA Emergency Directive: Fixed “PrintNightmare” flaw).

Mitigation measures and challenges

The joint advisory provides the following tactics, techniques, procedures, indicators of compromise and recommendations to protect against malicious Russian state-sponsored cyber activity:

  • Apply MFA authentication and review configuration policies to protect against failed login and re-enrollment scenarios.
  • Ensure that inactive accounts are consistently disabled across Active Directory and MFA systems.
  • Apply patches to all systems and prioritize patches for known exploited vulnerabilities.
  • Implement timeout and lockout features in response to repeated failed login attempts.
  • Update software including operating systems, applications and firmware on computer network assets in a timely manner.
  • Use strong, unique passwords for all accounts with password logins – for example, service account, administrator accounts, and domain administrator accounts.
  • Do not reuse passwords across multiple accounts or store them on any system that an adversary could gain access to.

“This attack showed that once an attacker breached defenses, there were things that should have been fixed internally that clearly weren’t,” says James Griffiths, Co-Founder and CTO from cybersecurity firm Cyber ​​Security Associates.

While many organizations seek to patch public vulnerabilities, they also need to focus on internal vulnerabilities, says Griffiths, who previously worked with the UK Ministry of Defense and GCHQ.

“Most of the time, this gives hackers easy access to find vulnerabilities and attack internal systems with little protection provided,” he adds.

Although patching vulnerabilities may seem easy, it is difficult for organizations to track and patch every flaw.

Today’s approach to cybersecurity expects every user of software to ensure it’s properly configured and continually patched, says John Goodacre, UK Research and Innovation’s Digital Security by Design program manager. But this is an unsustainable approach, given the increasing rate and severity of cyberattacks, he says.

Goodacre, who is also a professor of computer architecture at the University of Manchester, says users and developers urgently need technology that can block the exploitation of vulnerabilities and new techniques for configuring and delivering security. by default in their code.

Vulnerable MFA

Jasson Casey, chief technology officer at Beyond Identity, says this attack is not shocking because the existing crop of MFA solutions are easily circumvented.

He says the root cause of the attacks is the existence of the password. According to Casey, state actors and less sophisticated adversaries have updated their TTPs to circumvent one-time passwords and push notifications. “Existing MFA is based on a fatally flawed architecture that includes passwords and other easily phishing factors,” he says. “For this reason, the US government has decreed that organizations must quickly transition to passwordless, phishing-resistant MFA.”

Alan Calder, CEO of GRC International Group, explains that the attacks are happening because organizations that have migrated to the cloud in the past two years lack the technical expertise to properly configure cloud security and must follow training courses.

And Bud Broomhead, CEO of Viakoo, an automated IoT cyber hygiene provider based in Mountain View, Calif., says that with SIM swapping allowing more exploits to happen despite having MFA properly configured on MFA-enabled devices, we can expect to see more of this type of attack vector. “Many IoT devices lack multi-factor authentication, which makes it extremely important that organizations have a strategy for enforcing corporate password policies across their fleets of IoT devices, including regular password rotations. password, complex passwords used, and coordination of passwords with applications using IoT devices.”


About Author

Comments are closed.