The US Cybersecurity and Infrastructure Security Agency (CISA) and FBI released an alert about a Russian state-backed activity that allowed hackers to bypass multi-factor authentication (MFA) and exploit a security flaw to compromise networks. The security advisory indicates that the cyberattacks targeting a non-governmental organization (NGO) started back in May 2021.
The threat actors leveraged a “misconfigured” account setting to set default MFA protocols and then enrolled a new device to access the NGO’s network. Once done, the cyber attackers exploited a previously disclosed critical Windows 10 PrintNightmare flaw (CVE-2021-34481) to run malicious code with system privileges.
“The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network,” CISA explained.
Additionally, the Russian threat actors managed to modify a domain controller file to prevent the Duo MFA from contacting its server for authentication. With MFA disabled, the attackers authenticated the NGO’s VPN as non-administrators and established connections to the Windows domain controllers via Remote Desktop Protocol (RDP).
“Using these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to move laterally to the victim’s cloud storage and email accounts and access desired content,” CISA added.
The cyber security advisory outlines several best practices that should help security teams to protect their organizations from Russian state-sponsored cyber attacks. It recommends that government and agencies should enforce MFA for all users, patch known exploited vulnerabilities on all systems, and enable security features such as time-out and lock-out. Furthermore, IT Admins are advised to make sure all inactive accounts are disabled uniformly across the Active Directory (AD) and MFA systems.