Security News > 2022 > March > FBI warns of MFA flaw used by state hackers for lateral movement
The FBI says Russian state-backed hackers gained access to a non-governmental organization cloud after enrolling their own device in the organization's Duo MFA following the exploitation of misconfigured default multifactor authentication protocols.
To breach the network, they used credentials compromised in a brute-force password guessing attack to access an un-enrolled and inactive account, not yet disabled in the organization's Active Directory.
The next step was to disable the MFA service by redirecting all Duo MFA calls to localhost instead of the Duo server after modifying a domain controller file.
With the help of these compromised accounts and without MFA enforced, the Russian-backed threat actors could move laterally and gain access to the cloud storage and email accounts and exfiltrate data.
Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems.
Previous joint advisories also warned of Russian state hackers targeting and compromising US defense contractors supporting the US Army, US Air Force, US Navy, US Space Force, and DoD and Intelligence programs.