MFA and the PrintNightmare Vulnerability Exploited by Russian State-Sponsored Actors

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have given a joint cybersecurity alert cautioning that Russian state-sponsored actors are taking advantage of default multi-factor authentication practices and the PrintNightmare vulnerability to obtain access to systems to steal sensitive information.

Russian state-sponsored cyber actors used these strategies in May 2021 in an attack on a non-governmental organization (NGO). The threat actors gained access to the system by taking advantage of default multi-factor authentication protocols on an account. Afterward, the threat actors took advantage of the PrintNightmare vulnerability and executed code using system privileges and moved laterally to access the NGO’s cloud and email accounts, and stole documents. The critical remote code execution vulnerability (CVE-2021-34527) called PrintNightmare is present in Microsoft Windows’ print spooler service.

The attackers registered a new device in the NGO’s Duo MFA making use of stolen credentials, which were acquired in a brute force attack that thought of an easy to guess password. After a long time of inactivity, the account was unenrolled from Duo, however, it was not disabled in Active Directory. In the standard setting, Duo permits the re-enrollment of new devices for inactive accounts, which made it possible for the attackers to register a new device, accomplish the authentication prerequisites, and acquire access to the system. The attackers exploited the PrintNigthtmare vulnerability and privileges were raised to administrator level.

The threat actors had altered the settings of Duo MFA to call localhost instead of the Duo server, which deactivated multi-factor authentication for live domain accounts since the standard policy of Duo on Windows is to Fail open in case the MFA server is not accessible. Utilizing breached credentials with no MFA permitted the threat actors to go into the NGO’s cloud platform and email accounts.

Russian state-sponsored actors are skilled at using badly set up MFA systems to obtain access to systems to steal sensitive information. These strategies could be utilized on other wrongly configured MFA systems. These strategies do not rely on a victim utilizing the Duo MFA of Cisco.

The FBI and CISA provided a listing of mitigations to stop these strategies from being successful. It is necessary to use strong, unique passwords in all accounts. The passwords must not be kept on a system that an adversary could access. Think about having a password manager. These tools generate strong passwords that can help to stop users from using weak passwords. To prevent brute force attacks from succeeding, companies must use time-out and lock-out functions in case of a set number of unsuccessful login attempts.

The FBI and CISA stated MFA must be required for all users, with no exemption. Nonetheless, prior to using MFA, configuration guidelines must be assessed to secure against fail open and re-sign up situations. Inactive accounts in Active Directory as well as MFA systems must be deactivated, system logs must be checked for suspicious activity and unapproved or strange login attempts, and software programs and operating systems must be kept updated, with patching made first priority to deal with identified exploited vulnerabilities first.