Security News > 2022 > March > FBI, CISA Warn of Russian Hackers Exploiting MFA and PrintNightmare Bug

"As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default protocols at a non-governmental organization, allowing them to enroll a new device for MFA and access the victim network," the agencies said.

The attack was pulled off by gaining initial access to the victim organization via compromised credentials - obtained by means of a brute-force password guessing attack - and enrolling a new device in the organization's Duo MFA. It's also noteworthy that the breached account was un-enrolled from Duo due to a long period of inactivity, but had not yet been disabled in the NGO's Active Directory, thereby allowing the attackers to escalate their privileges using the PrintNightmare flaw and disable the MFA service altogether.

"As Duo's default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network," the agencies explained.

Turning off MFA, in turn, allowed the state-sponsored actors to authenticate to the NGO's virtual private network as non-administrator users, connect to Windows domain controllers via Remote Desktop Protocol, and obtain credentials for other domain accounts.

In the final stage of the attack, the newly compromised accounts were subsequently utilized to move laterally across the network to siphon data from the organization's cloud storage and email accounts.

To mitigate such attacks, both CISA and FBI are recommending organizations to enforce and review multi-factor authentication configuration policies, disable inactive accounts in Active Directory, and prioritize patching for known exploited flaws.

News URL

https://thehackernews.com/2022/03/fbi-cisa-warn-of-russian-hackers.html