My TechDecisions

IT Infrastructure, Network Security, News

CISA: Russian Hackers Leveraged Default MFA, PrintNightmare To Gain Network Access

Using stolen credentials, misconfigured MFA and PrintNightmare, Russian state-sponsored hackers compromised a victim's network, agencies say.

Leave a Comment

Proofpoint CISO, CISOs cyberattack
Gorodenkoff/stock.adobe.com

According to U.S. authorities, Russian state-sponsored hackers are leveraging default multi-factor authentication (MFA) protocols and the PrintNightmare vulnerabilities to gain network access.

In a joint advisory, the FBI and Cybersecurity and Infrastructure Security Agency say cyber actors backed by the Russian government began pairing those attack vectors as early as May 2021 to target a non-governmental organization, exploiting a flaw in default MFA protocols and then move laterally to the organization’s cloud environment. The Print Spooler vulnerabilities, known as PrintNightmare, are critical security flaws in the Print Spooler service that allow remote code execution and privilege escalation. Those bugs, discovered in late June 2021, resulted in out-of-band patches, some of which resulted in printing issues.

According to the advisory, the FBI observed hackers gaining initial access to the victim organization via compromised credentials and use the organization’s Cisco Duo MFA to enroll a new device. The victim account — compromised due to a brute-force password attack — was unenrolled from Duo due to a long period of inactivity, but wasn’t disabled in Active Directory.

Duo’s default settings allow for the re-enrollment of a new device for dormant accounts, enabling the actors to enroll a new device for the account, complete the authentication requirements and gain access to the victim organization’s network.

Then, the hackers used PrintNightmare to escalate privileges to obtain administrator status and modify a domain controller profile to redirect Duo MFA calls to localhost instead of the Duo server, preventing the MFA service from contacting its server to validate MFA login. That effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to “Fail open” if the MFA server is unreachable, the agencies say.

With MFA disabled, the attackers were able to authenticate to the victim’s VPN as non-administrator users and make RDP connections to Windows domain controllers to run commands, obtain credentials for additional domain accounts, change the MFA configuration file and bypass MFA for newly compromised accounts. The actors largely used internal Windows utilities that already existed within the victim’s network to perform those activities, according to the advisory.

The end result of leveraging MFA and PrintNightmare was the ability to move laterally to the organization’s cloud storage and email accounts, accessing targeted content freely.

To prevent attacks exploiting MFA flaws and PrintNightmare, organizations are advised to:

  • Enforce MFA for all users and review configuration policies to protect against “fail open” and re-enrollment situations.
  • Implement time-out and lock-out features for repeated failed login attempts
  • Disable inactive accounts across the AD, MFA systems
  • Update and patch software and firmware to protect against vulnerability exploitations
  • Require strong, unique passwords
  • Monitor networks for suspicious activity, including unusual login attempts
  • Implement security alerting policies for changes to security-enabled accounts and groups.
  • Conduct end-user training and awareness to help prevent account compromise.

Per the advisory, IT admins and security professionals are urged to be on the lookout for these indicators of compromise:

Russian state-sponsored cyber actors executed the following processes:

  • ping.exe – A core Windows Operating System process used to perform the Transmission Control Protocol (TCP)/IP Ping command; used to test network connectivity to a remote host [T1018] and is frequently used by actors for network discovery [TA0007].
  • regedit.exe – A standard Windows executable file that opens the built-in registry editor [T1112].
  • rar.exe – A data compression, encryption, and archiving tool [T1560.001]. Malicious cyber actors have traditionally sought to compromise MFA security protocols as doing so would provide access to accounts or information of interest.
  • ntdsutil.exe – A command-line tool that provides management facilities for Active Directory Domain Services. It is possible this tool was used to enumerate Active Directory user accounts [T1003.003].

Actors modified the c:\windows\system32\drivers\etc\hosts file to prevent communication with the Duo MFA server:

  • 127.0.0.1 api-<redacted>.duosecurity.com

The following access device IP addresses used by the actors have been identified to date:

  • 45.32.137[.]94
  • 191.96.121[.]162
  • 173.239.198[.]46
  • 157.230.81[.]39

To learn more, read the FBI/CISA advisory.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

Latest Downloads

Practical Design Guide for Office Spaces
Practical Design Guide for Office Spaces

Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-fa...

New Camera Can Transform Your Live Production Workflow
New Camera System Can Transform Your Live Production Workflow

Sony's HXC-FZ90 studio camera system combines flexibility and exceptional image quality with entry-level pricing.

Creating Great User Experience and Ultimate Flexibility with Clickshare

Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When desig...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ