Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

FBI and CISA Issue Advisory Over Multi-Factor Authentication Flaw Abused By Russian Hackers

The US Cybersecurity and Infrastructure Security Agency (CISA) and FBI released an alert about a Russian state-backed activity that allowed hackers to bypass multi-factor authentication (MFA) and exploit a security flaw to compromise networks. The security advisory indicates that the cyberattacks targeting a non-governmental organization (NGO) started back in May 2021.

The threat actors leveraged a “misconfigured” account setting to set default MFA protocols and then enrolled a new device to access the NGO’s network. Once done, the cyber attackers exploited a previously disclosed critical Windows 10 PrintNightmare flaw (CVE-2021-34481) to run malicious code with system privileges.

“The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network,” CISA explained.

Additionally, the Russian threat actors managed to modify a domain controller file to prevent the Duo MFA from contacting its server for authentication. With MFA disabled, the attackers authenticated the NGO’s VPN as non-administrators and established connections to the Windows domain controllers via Remote Desktop Protocol (RDP).

“Using these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to move laterally to the victim’s cloud storage and email accounts and access desired content,” CISA added.

The FBI-CISA advisory outlines mitigation measures to prevent Russian attackers from exploiting MFA Flaw

The cyber security advisory outlines several best practices that should help security teams to protect their organizations from Russian state-sponsored cyber attacks. It recommends that government and agencies should enforce MFA for all users, patch known exploited vulnerabilities on all systems, and enable security features such as time-out and lock-out. Furthermore, IT Admins are advised to make sure all inactive accounts are disabled uniformly across the Active Directory (AD) and MFA systems.

by Rabia Noureen
Mar 17, 2022

Rabia comes from a solid IT background and has been writing professionally about Microsoft products and other technology for four years. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on the latest trends in...

Streamlining SaaS Governance: How Nudge Security Simplifies Compliance and Security Management for Cloud Apps

Oct 30, 2023
Nov 03, 2023
The Dirty Truth About IT Offboarding Automation

Jul 21, 2023
Aug 25, 2023
Five Tactics Towards Achieving Zero Trust with Azure Active Directory

Aug 29, 2023
Feb 01, 2024

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.