Russian Actors Exploit Known MFA Bug to Attack OrganizationCISA, FBI Alerts Offer Attack Analysis, How to Patch PrintNightmare Vulnerability
Russian state-sponsored threat actors are exploiting default multifactor authentication protocols, along with a known vulnerability, to illegally access the network of a nongovernmental organization, U.S. government agencies say.
The bad actors took advantage of a misconfigured account, which was set to default MFA protocols, to access the undisclosed victim's network and move laterally in the organization's cloud environment, a joint advisory, published by U.S. Cybersecurity and Infrastructure Security Agency and the FBI on Tuesday, says. It does not specify who the misconfigured account belonged to, but says that the NGO used technology company Cisco's Duo MFA.
The cyber actors then exploited a previously disclosed critical Windows Print Spooler vulnerability, dubbed PrintNightmare, to run arbitrary code with system privileges. The vulnerability is tracked as CVE-2021-34527.
In an attack that took place in May 2021, the bad actors accessed the NGO's cloud and email accounts for document exfiltration.
The advisory says that the Russian state-sponsored cyber actors gained initial access to the victim organization via compromised credentials and enrolled a new device in the organization's Duo MFA.
"The actors gained the credentials via brute-force password guessing attack, allowing them access to a victim account with a simple, predictable password. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory," the advisory says.
The agencies say that Duo's default configuration settings allow for the reenrollment of a new device, especially for dormant accounts, which led attackers to enroll a new device for this account, perform authentication requirements and obtain access to the victim network.
Using this compromised account, the adversaries were able to perform privilege escalation via exploitation of the PrintNightmare vulnerability to obtain administrator privileges, they say.
The actors also modified a domain controller file, which redirected Duo MFA calls to localhost instead of the Duo server. The advisory says this prevented the MFA service from contacting its server to validate MFA login. This, in turn, disabled MFA for active domain accounts because the default policy of Duo for Windows is to "fail open" if the MFA server was unreachable.
Upon successfully disabling MFA, the cyber actors were able to authenticate the victim's virtual private network as nonadministrator users and make Remote Desktop Protocol connections to Windows domain controllers.
According to the advisory, the actors ran commands to obtain credentials for additional domain accounts, changed the MFA configuration file as described above and bypassed MFA for these newly compromised accounts. They "leveraged mostly internal Windows utilities already present within the victim network to perform this activity," the advisory says.
"Using these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to move laterally to the victim's cloud storage and email accounts and access desired content."
PrintNightmare Vulnerability Exploited in Attack
The threat actors exploited a previously disclosed vulnerability in the Windows Print Spooler service, which enables devices to communicate with printers and other printing features found in various versions of the Windows operating system. The flaw has a CVSS base rating of 8.8, which is close to a critical score of 9.
Microsoft said earlier that the bug had been exploited in the wild (see: Microsoft Issues 'PrintNightmare' Security Update).
Despite warnings from Microsoft and other security researchers over the last several months, the unpatched PrintNightmare vulnerabilities continue to cause issues for Windows users. In July, CISA issued a directive for federal agencies to immediately patch the flaws (see: CISA Emergency Directive: Patch 'PrintNightmare' Flaw).
Mitigation Measures and Challenges
The joint advisory provides the following tactics, techniques, procedures, indicators of compromise and recommendations to protect against Russian state-sponsored malicious cyber activity:
- Enforce MFA and review configuration policies to protect against "fail open" and reenrollment scenarios.
- Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems.
- Patch all systems, and prioritize patching for known exploited vulnerabilities.
- Implement timeout and lockout features in response to repeated failed login attempts.
- Update software, including operating systems, applications and firmware on IT network assets, in a timely manner.
- Use strong, unique passwords for all accounts with password logins - e.g., service account, admin accounts and domain admin accounts.
- Do not reuse passwords across multiple accounts or store them on a system to which an adversary may have access.
"This attack has shown that once an attacker has breached the defenses, there were things that should have been patched internally that clearly had not," says James Griffiths, co-founder and technical director of cybersecurity firm Cyber Security Associates.
While a lot of organizations look at patching public-facing vulnerabilities, they must also focus on internal ones, says Griffiths, who previously worked with the U.K. Ministry of Defense and GCHQ.
"A majority of the time, this gives hackers easy access to find vulnerabilities and attack the internal systems with little protection provided," he adds.
While patching the vulnerabilities may sound easy, it is tough for organizations to keep track of and patch every flaw.
The current approach to cybersecurity expects every user of software to ensure it is properly configured and continually patched, says John Goodacre, director of the U.K. Research and Innovation’s Digital Security by Design program. But this is an unsustainable approach, given the increasing rate and severity of cyberattacks, he says.
Goodacre, who is also a professor of computer architectures at the University of Manchester, says users and developers urgently need technology that can block vulnerabilities from exploitation and new techniques to configure and deliver security by default in their code.
Jasson Casey, chief technology officer at Beyond Identity, says this attack is not shocking as the existing crop of MFA solutions is easily bypassed.
He says the root cause of attacks is the existence of the password. According to Casey, state actors and less sophisticated adversaries have updated their TTPs to bypass one-time passwords and push notifications. "Existing MFA is based on a fatally flawed architecture that includes passwords and other easily phishable factors," he says. "For this reason, the U.S. government decreed that organizations need to rapidly move to phishing-resistant, passwordless MFA."
Alan Calder, CEO of GRC International Group, says attacks occur because organizations that have migrated to the cloud over the last couple of years don't have the technical expertise to correctly configure cloud security and need to attend training courses.
And Bud Broomhead, CEO at Viakoo, a Mountain View, California-based provider of automated IoT cyber hygiene, says that with SIM swapping enabling more exploits to happen despite MFA being set up properly on devices that support MFA, we can expect to see more of this type of attack vector. "Many IoT devices lack multifactor authentication, making it critically important that organizations have a strategy for enforcing corporate password policies across their fleets of IoT devices, including regular password rotations, complex passwords being used, and coordination of passwords with the applications using IoT devices."