Security News > 2022 > March > Russia-linked attackers breach NGO by exploiting MFA, PrintNightmare vuln

Russia-linked attackers breach NGO by exploiting MFA, PrintNightmare vuln
2022-03-16 15:30

The US Cybersecurity and Infrastructure Security Agency and FBI issued a joint alert on March 15 warning organizations that state-backed criminals could use the MFA defaults and flaw to access networks.

In this case, the unnamed cybercriminal gang took advantage of a misconfigured account to set default MFA protocols at the NGO. The bad actors enrolled a new device for MFA and accessed the NGO's network and then exploited the PrintNightmare flaw - tracked as CVE-2021-34527 - to run malicious code and gain system privileges, giving them access to email accounts and enabling them to move laterally to the organization's cloud environment and to steal documents.

"Aaron Turner, vice president of SaaS posture at cybersecurity firm Vectra, told The Register in an email that since 2020, Russia had"shown that they have developed significant capabilities to bypass MFA when it is poorly implemented or operated in a way that allows attackers to compromise material pieces of cloud identity supply chains.

The threat actors leveraged this to exploit the PrintNightmare vulnerability to gain administrator privileges and modified a domain controller to prevent the Duo MFA from contacting its server to validate the MFA login.

"SIM swapping is enabling more exploits to happen despite MFA being set up properly on devices that support MFA," Broomhead told The Register in an email.

"If MFA becomes compromised, there is still a lifeline through least privilege policy enforcement to minimize the access to that sensitive data," O'Connor told The Register in an email.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/03/16/russia-attack-ngo-mfa-printnightmare/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-07-02 CVE-2021-34527 Improper Privilege Management vulnerability in Microsoft products
<p>A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations.
network
low complexity
microsoft CWE-269
8.8