CISA & FBI Warn Against Russian Actor MFA Exploits

In a joint cybersecurity advisory, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) advise that state-sponsored Russian actors are using the PrintNightmare weakness and default multi-factor authentication protocols to break into systems and obtain sensitive information.

Since early May 2021, when a non-governmental organization (NGO) was targeted using these approaches, Russian state-sponsored cyber attackers took the opportunity to exploit them. By taking advantage of a Cisco Duo MFA account’s default multi-factor authentication methods, the threat actors were able to connect to the network. The threat actors then migrated laterally to the cloud and email accounts of the NGO and exfiltrated data by exploiting the PrintNightmare vulnerability to execute malware with system privileges. The print spooler service of Microsoft Windows has a significant remote code execution vulnerability called PrintNightmare (CVE-2021-34527). With the use of compromising credentials that were obtained through a brute force attack, the attackers were able to enroll a new device in the NGO’s Duo MFA. After a prolonged period of inactivity, the account had been removed from Duo, but it had not been deactivated in Active Directory. The attackers were able to enroll a new device, satisfy the authentication criteria, and get access to the network since Duo’s default setting permits the re-enrollment of new devices for inactive accounts.The privileges were subsequently raised to admin level by utilizing the PrintNightmare vulnerability.

With the default setting for Duo on Windows being Fail open if the MFA server cannot be accessed, the threat actors were able to modify the settings of Duo MFA to call the local host rather than the Duo server, disabling multi-factor authentication for active domain accounts. Threat actors are then able to migrate laterally to the cloud environment and email accounts of the NGO using compromised credentials and no MFA enforcement.

In order to prevent the success of these tactics, CISA and the FBI have recommended a number of mitigations. They advise that a list of mitigations has been issued by CISA and the FBI to stop the use of these strategies. All accounts should have strong, one-of-a-kind passwords, and they shouldn’t be stored on a system where an attacker may get access. Entities should utilize a password manager. Strong password generators built into these systems can aid in preventing users from choosing weak passwords. Furthermore, organizations should incorporate time-out and lock-out features after a certain number of unsuccessful login attempts to make brute force attacks more difficult to perform. The FBI has asked entities to enforce MFA for all of its users and to regularly review MFA configuration policies to protect against fail open and re-enrollment scenarios.