Russian State-Sponsored Cyber Actors Access Network Misconfigured with Default MFA Protocols


CISA and the Federal Bureau of Investigation (FBI) have released a [joint Cybersecurity Advisory](<https://www.cisa.gov/uscert/ncas/alerts/aa22-074a>) that details how Russian state-sponsored cyber actors accessed a network with misconfigured default multifactor authentication (MFA) protocols. The actors then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527), to run arbitrary code with system privileges. The advisory provides observed tactics, techniques, and procedures, as well as indicators of compromise and mitigations to protect against this threat. CISA encourages users and administrators to review [AA22-074A: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability](<https://www.cisa.gov/uscert/ncas/alerts/aa22-074a>). For general information on Russian state-sponsored malicious cyber activity, see [cisa.gov/Russia](<https://www.cisa.gov/uscert/russia>). For more information on the threat of Russian state-sponsored malicious cyber actors to U.S. critical infrastructure, as well as additional mitigation recommendations, see [AA22-011A: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure](<https://www.cisa.gov/uscert/ncas/alerts/aa22-011a>) and [cisa.gov/shields-up](<https://www.cisa.gov/shields-up>). This product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy. **Please share your thoughts.** We recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/03/15/russian-state-sponsored-cyber-actors-access-network-misconfigured>); we'd welcome your feedback.