According to U.S. authorities, Russian state-sponsored hackers are leveraging default multi-factor authentication (MFA) protocols and the PrintNightmare vulnerabilities to gain network access.
In a joint advisory, the FBI and Cybersecurity and Infrastructure Security Agency say cyber actors backed by the Russian government began pairing those attack vectors as early as May 2021 to target a non-governmental organization, exploiting a flaw in default MFA protocols and then move laterally to the organization’s cloud environment. The Print Spooler vulnerabilities, known as PrintNightmare, are critical security flaws in the Print Spooler service that allow remote code execution and privilege escalation. Those bugs, discovered in late June 2021, resulted in out-of-band patches, some of which resulted in printing issues.
According to the advisory, the FBI observed hackers gaining initial access to the victim organization via compromised credentials and use the organization’s Cisco Duo MFA to enroll a new device. The victim account — compromised due to a brute-force password attack — was unenrolled from Duo due to a long period of inactivity, but wasn’t disabled in Active Directory.
Duo’s default settings allow for the re-enrollment of a new device for dormant accounts, enabling the actors to enroll a new device for the account, complete the authentication requirements and gain access to the victim organization’s network.
Then, the hackers used PrintNightmare to escalate privileges to obtain administrator status and modify a domain controller profile to redirect Duo MFA calls to localhost instead of the Duo server, preventing the MFA service from contacting its server to validate MFA login. That effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to “Fail open” if the MFA server is unreachable, the agencies say.
With MFA disabled, the attackers were able to authenticate to the victim’s VPN as non-administrator users and make RDP connections to Windows domain controllers to run commands, obtain credentials for additional domain accounts, change the MFA configuration file and bypass MFA for newly compromised accounts. The actors largely used internal Windows utilities that already existed within the victim’s network to perform those activities, according to the advisory.
The end result of leveraging MFA and PrintNightmare was the ability to move laterally to the organization’s cloud storage and email accounts, accessing targeted content freely.
To prevent attacks exploiting MFA flaws and PrintNightmare, organizations are advised to:
- Enforce MFA for all users and review configuration policies to protect against “fail open” and re-enrollment situations.
- Implement time-out and lock-out features for repeated failed login attempts
- Disable inactive accounts across the AD, MFA systems
- Update and patch software and firmware to protect against vulnerability exploitations
- Require strong, unique passwords
- Monitor networks for suspicious activity, including unusual login attempts
- Implement security alerting policies for changes to security-enabled accounts and groups.
- Conduct end-user training and awareness to help prevent account compromise.
Per the advisory, IT admins and security professionals are urged to be on the lookout for these indicators of compromise:
Russian state-sponsored cyber actors executed the following processes:
- ping.exe – A core Windows Operating System process used to perform the Transmission Control Protocol (TCP)/IP Ping command; used to test network connectivity to a remote host [T1018] and is frequently used by actors for network discovery [TA0007].
- regedit.exe – A standard Windows executable file that opens the built-in registry editor [T1112].
- rar.exe – A data compression, encryption, and archiving tool [T1560.001]. Malicious cyber actors have traditionally sought to compromise MFA security protocols as doing so would provide access to accounts or information of interest.
- ntdsutil.exe – A command-line tool that provides management facilities for Active Directory Domain Services. It is possible this tool was used to enumerate Active Directory user accounts [T1003.003].
Actors modified the c:\windows\system32\drivers\etc\hosts file to prevent communication with the Duo MFA server:
- 127.0.0.1 api-<redacted>.duosecurity.com
The following access device IP addresses used by the actors have been identified to date:
- 45.32.137[.]94
- 191.96.121[.]162
- 173.239.198[.]46
- 157.230.81[.]39
To learn more, read the FBI/CISA advisory.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply