Hackers Breach Multifactor Authentication

Uploaded on 2022-04-08 in TECHNOLOGY--Hackers, FREE TO VIEW

Hackers  been detected exploiting Multi-Factor Authentication (MFA) default  protocols with the “PrintNightmare” vulnerability. 

State-sponsored threat actors from Russia over the last year breached a non-governmental organisation (NGO) by leveraging multifactor authentication (MFA) defaults and exploiting the PrintNightmare vulnerability in Windows Print Spooler. 

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have analysed and released a serious concern about how Russian state-sponsored actors have gained access to an NGO's network.

CISA observed regular targeting of US Security Cleared Defense Contractors (CDCs) by Russian state-sponsored cyber actors. Microsoft has assigned CVE-2021-34527 to the print spooler remote code execution vulnerability known as "PrintNightmare" and confirmed that the offending code is lurking in all versions of Windows.

The hackers were able to gain access to an NGO’s cloud and email accounts, move laterally in the organisation’s network and exfiltrate documents, according to the FBI and CISA.

The actors have targeted both large and small CDCs and subcontractors with varying levels of cyber security protocols and resources. “Historically, Russian state-sponsored cyber actors have used common but effective tactics to gain access to target networks, including spearphishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security... These actors take advantage of simple passwords, unpatched systems, and unsuspecting employees to gain initial access before moving laterally through the network to establish persistence and exfiltrate data, “says the CISA.  

As early as May 2021, the hackers gained access to the NGO’s network by guessing the password of an inactive account to enroll a new device in the organisation’s Duo MFA. 

They exploited the PrintNightmare vulnerability, which caused havoc in 2021 before being patched, to get domain administrator access and redirected DUO MFA to disable multi-factor authentication for active accounts to add even more accounts. CISA do not give the details what data was exfiltrated, but the FBI and CISA recommended what organisations should do, in addition to reminding them to “remain cognisant of the threat of state-sponsored cyber actors including:

  • Enforce MFA for all users, without exception.
  • Implement time-out and lock-out features in response to repeated failed login attempts.
  • Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems.
  • Update software, including operating systems, applications, and firmware on IT network assets in a timely manner
  • Require all accounts with password logins
  • Continuously monitor network logs for suspicious activity and unauthorised or unusual login attempts.

The CISA advisory says the cyberattack targeting the NGO began as far back as May 2021. The location of the NGO and the full timespan over which the attack occurred were not specified. 

CISA:       Microsoft:   Venturebeat:     The Register:     

You Might Also Read: 

Two-Factor Authentication Matters More Than Ever:

 

« Protecting Your Business From A Supply Chain Attack
Technology’s Impact On Cyber Security »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Qualitest Group

Qualitest Group

Qualitest is the world’s largest pure play Quality Assurance and software testing company.

Lloyd's

Lloyd's

As an insurance market, Lloyd’s can provide access to more than 65 expert cyber risk insurers in one place.

LEXFO

LEXFO

LEXFO specializes in the security of information systems, assisting clients in protecting information assets using an offensive and innovative approach.

Cyber Security For Critical Assets (CS4CA)

Cyber Security For Critical Assets (CS4CA)

Cyber Security For Critical Assets is a global series of summits focusing on cyber security for critical infrastructure.

Alan Boswell Group

Alan Boswell Group

We are a Group of Companies providing specialist Insurance Broking and Risk Management advice and services including Cyber Risk cover.

TechGuard Security

TechGuard Security

TechGuard Security was founded to address national cyber defense initiatives and US critical infrastructure security.

Vintegris

Vintegris

Vintegris are a Certification Authority and manufacturer of innovative systems and applications for the full cycle of digital identity.

MyCyberSecurity Clinic (MyCSC)

MyCyberSecurity Clinic (MyCSC)

MyCyberSecurity Clinic's main goal is toward establishing an international reference centre for excellence in the field of digital forensics and data recovery services.

Spin Technology

Spin Technology

SpinOne is a SaaS data protection platform designed to monitor, secure, and back up your G Suite and O365 data, improve compliance, and reduce IT costs.

WidePoint

WidePoint

WidePoint Corporation is an innovative provider of Trusted Mobility Management (TM2) solutions.

Coralogix

Coralogix

Coralogix are rebuilding the path to observability using a real-time streaming analytics pipeline that provides monitoring, visualization, and alerting capabilities without the burden of indexing.

Telstra

Telstra

Telstra is one of the world's leading telecommunications and technology companies, offering a wider range of services from networks and cloud solutions to mobility and enterprise collaboration tools.

FortiGuard Labs

FortiGuard Labs

FortiGuard Labs is the threat intelligence and research organization at Fortinet. Its mission is to provide Fortinet customers with the industry’s best threat intelligence.

GetHacked.ca

GetHacked.ca

GetHackded.ca is a certified company offering penetration testing and specialized cybersecurity services.

The Cyber Scheme

The Cyber Scheme

The Cyber Scheme provides NCSC certified and assured assessments, training and career support for security testers & technical cyber professionals.

Telenor Cyberdefence

Telenor Cyberdefence

Telenor Cyberdefence is a newly established (2024) cloud-born Managed Security Service Provider focused on the Nordic markets.