As the Russia-Ukraine conflict has continued to the third week, new cyber threats keep emerging. Officials are on high alert about state-sponsored hackers attempting to disrupt critical infrastructure. The FBI and CISA issued a joint advisory, warning against Russian state-sponsored hackers abusing MFA protocols and a Windows flaw.
Diving into the details
The FBI said that the hackers gained access to an NGO cloud by abusing default MFA protocols. They enrolled their own device into the organization’s Duo MFA. They, furthermore, exploited PrintNightmare, a Windows Print Spooler vulnerability, tracked as CVE-2021-34527. Exploiting PrintNightmare allowed them to gain system privilege and run arbitrary code.
How was it done?
While the NGO had been unenrolled from Duo, it was not disabled in the Active Directory.
In order to compromise the target network, they performed a brute-force attack against the account. They, subsequently, used this compromised account to escalate privilege by abusing PrintNightmare to gain admin privileges.
The hackers disabled the MFA service by redirecting all the calls to localhost after altering a domain controller file.
They were, hence, able to authenticate the victim’s VPN as non-admin users, connect to Windows domain controllers via RDP, and exfiltrate credentials for other accounts.
Without MFA and with the aid of all these credentials, the Russian-backed adversaries could move laterally, gain access to the email accounts and cloud storage, and steal data.
How to stay safe?
The advisory urges organizations to ensure that their MFA settings are properly configured to stay secure against such scenarios and take other measures, such as applying software patches and disabling unused accounts. It is imperative that enterprises configure MFA properly for greater effectiveness.
The bottom line
The joint advisory has provided IOCs, along with recommendations for preventing intrusions. The agencies have, moreover, previously published advisories warning against Russian hackers infecting U.S. defense contractors. APT28, APT29, and Sandworm have also targeted organizations operating in the U.S. critical infrastructure sectors. This shows that times are tough and security defenses need to be tougher.