FBI and CISA Issue Advisory Over Multi-Factor Authentication Flaw Abused By Russian Hackers
The US Cybersecurity and Infrastructure Security Agency (CISA) and FBI released an alert about a Russian state-backed activity that allowed hackers to bypass multi-factor authentication (MFA) and exploit a security flaw to compromise networks. The security advisory indicates that the cyberattacks targeting a non-governmental organization (NGO) started back in May 2021.
The threat actors leveraged a “misconfigured” account setting to set default MFA protocols and then enrolled a new device to access the NGO’s network. Once done, the cyber attackers exploited a previously disclosed critical Windows 10 PrintNightmare flaw (CVE-2021-34481) to run malicious code with system privileges.
“The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network,” CISA explained.
Additionally, the Russian threat actors managed to modify a domain controller file to prevent the Duo MFA from contacting its server for authentication. With MFA disabled, the attackers authenticated the NGO’s VPN as non-administrators and established connections to the Windows domain controllers via Remote Desktop Protocol (RDP).
“Using these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to move laterally to the victim’s cloud storage and email accounts and access desired content,” CISA added.
The FBI-CISA advisory outlines mitigation measures to prevent Russian attackers from exploiting MFA Flaw
The cyber security advisory outlines several best practices that should help security teams to protect their organizations from Russian state-sponsored cyber attacks. It recommends that government and agencies should enforce MFA for all users, patch known exploited vulnerabilities on all systems, and enable security features such as time-out and lock-out. Furthermore, IT Admins are advised to make sure all inactive accounts are disabled uniformly across the Active Directory (AD) and MFA systems.
More in Security
Build 2022: Microsoft Boosts Data Analytics and Cybersecurity in New Training & Certifications
May 24, 2022 | Rabia Noureen
Microsoft Defender for Office 365 to Get Preset Security Policy Improvements In June
May 23, 2022 | Rabia Noureen
Microsoft Detects 254% Spike in XorDDoS Attacks on Linux Servers
May 23, 2022 | Rabia Noureen
CISA Warns Federal Agencies to Mitigate Critical VMware Vulnerabilities by May 23
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
F5 Confirms New Remote Code Execution Flaw in BIG-IP Systems
May 9, 2022 | Rabia Noureen
Most popular on petri