Hackers Breach Multifactor Authentication
Hackers been detected exploiting Multi-Factor Authentication (MFA) default protocols with the “PrintNightmare” vulnerability.
State-sponsored threat actors from Russia over the last year breached a non-governmental organisation (NGO) by leveraging multifactor authentication (MFA) defaults and exploiting the PrintNightmare vulnerability in Windows Print Spooler.
The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have analysed and released a serious concern about how Russian state-sponsored actors have gained access to an NGO's network.
CISA observed regular targeting of US Security Cleared Defense Contractors (CDCs) by Russian state-sponsored cyber actors. Microsoft has assigned CVE-2021-34527 to the print spooler remote code execution vulnerability known as "PrintNightmare" and confirmed that the offending code is lurking in all versions of Windows.
The hackers were able to gain access to an NGO’s cloud and email accounts, move laterally in the organisation’s network and exfiltrate documents, according to the FBI and CISA.
The actors have targeted both large and small CDCs and subcontractors with varying levels of cyber security protocols and resources. “Historically, Russian state-sponsored cyber actors have used common but effective tactics to gain access to target networks, including spearphishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security... These actors take advantage of simple passwords, unpatched systems, and unsuspecting employees to gain initial access before moving laterally through the network to establish persistence and exfiltrate data, “says the CISA.
As early as May 2021, the hackers gained access to the NGO’s network by guessing the password of an inactive account to enroll a new device in the organisation’s Duo MFA.
They exploited the PrintNightmare vulnerability, which caused havoc in 2021 before being patched, to get domain administrator access and redirected DUO MFA to disable multi-factor authentication for active accounts to add even more accounts. CISA do not give the details what data was exfiltrated, but the FBI and CISA recommended what organisations should do, in addition to reminding them to “remain cognisant of the threat of state-sponsored cyber actors including:
- Enforce MFA for all users, without exception.
- Implement time-out and lock-out features in response to repeated failed login attempts.
- Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems.
- Update software, including operating systems, applications, and firmware on IT network assets in a timely manner
- Require all accounts with password logins
- Continuously monitor network logs for suspicious activity and unauthorised or unusual login attempts.
The CISA advisory says the cyberattack targeting the NGO began as far back as May 2021. The location of the NGO and the full timespan over which the attack occurred were not specified.
CISA: Microsoft: Venturebeat: The Register:
You Might Also Read:
Two-Factor Authentication Matters More Than Ever: