Russian Hackers Exploiting MFA and PrintNightmare Bug
Reading Time: 2 minutes

According to an advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), Russian hackers are exploiting the MFA  and PrintBNightmare bug to hack the network of an unnamed non-governmental entity.

The agencies mentioned, “As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default [multi-factor authentication] protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network.” 

Further added, “The actors then exploited a critical Windows Print Spooler vulnerability, ‘PrintNightmare’ (CVE-2021-34527) to run arbitrary code with system privileges.”

The attackers managed to pull off the attack by gaining initial access to the victim organization by compromising credentials. After obtaining the credentials by means of a brute-force password guessing attack – and enrolling a new device in the organization’s Duo MFA.

What’s noteworthy is the breached account was un-enrolled from Due for being inactive for a long period and was not disabled in the NGO’s Active Directory. This led to the attackers being able to escalate their privileges using the PrintNightmare flaw and disable the MFA service altogether.

The agencies explained, “As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.” 

While the state-sponsored actors were able to authenticate the NGO’s virtual private network(VPN) as non-administrator users by turning off the MFA. Enabling them to connect to Windows domain controllers via Remote Desktop Protocol (RDP), and obtain credentials for other domain accounts.

The bad actors were finally able to utilize the newly compromised accounts to move laterally across the network to siphon data from the organization’s cloud storage and email accounts.

According to CISA and FBI, organizations have been advised to enforce and review multi-factor authentication configuration policies, disable inactive accounts in Active Directory, and prioritize patching for known exploited flaws to mitigate such attacks. 

Related Articles:
CaddyWiper – A Nasty Data Wiping Malware Targets Ukrainian Networks
Israeli Government Websites Knocked Out by Massive DDoS Attack
NASA Faces Serious Danger Due to a Big Black Hole in its Security