CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.7%
Multifactor Authentication (MFA): A Cybersecurity Essential
• MFA is one of the most important cybersecurity practices to reduce the risk of intrusions—according to industry research, users who enable MFA are up to 99 percent less likely to have an account compromised.
• Every organization should enforce MFA for all employees and customers, and every user should sign up for MFA when available.
• Organizations that implement MFA should review default configurations and modify as necessary, to reduce the likelihood that a sophisticated adversary can circumvent this control.
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability. As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network. The actors then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527) to run arbitrary code with system privileges. Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration.
This advisory provides observed tactics, techniques, and procedures, indicators of compromise (IOCs), and recommendations to protect against Russian state-sponsored malicious cyber activity. FBI and CISA urge all organizations to apply the recommendations in the Mitigations section of this advisory, including the following:
For more general information on Russian state-sponsored malicious cyber activity, see CISA’s Russia Cyber Threat Overview and Advisories webpage. For more information on the threat of Russian state-sponsored malicious cyber actors to U.S. critical infrastructure as well as additional mitigation recommendations, see joint CSA Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure and CISA’s Shields Up Technical Guidance webpage.
Click here for a PDF version of this report.
For a downloadable copy of IOCs, see AA22-074A.stix.
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 10. See Appendix A for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.
As early as May 2021, the FBI observed Russian state-sponsored cyber actors gain access to an NGO, exploit a flaw in default MFA protocols, and move laterally to the NGO’s cloud environment.
Russian state-sponsored cyber actors gained initial access [TA0001] to the victim organization via compromised credentials [T1078] and enrolling a new device in the organization’s Duo MFA. The actors gained the credentials [TA0006] via brute-force password guessing attack [T1110.001], allowing them access to a victim account with a simple, predictable password. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.
Using the compromised account, Russian state-sponsored cyber actors performed privilege escalation [TA0004] via exploitation of the “PrintNightmare” vulnerability (CVE-2021-34527) [T1068] to obtain administrator privileges. The actors also modified a domain controller file, c:\windows\system32\drivers\etc\hosts
, redirecting Duo MFA calls to localhost
instead of the Duo server [T1556]. This change prevented the MFA service from contacting its server to validate MFA login—this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to “Fail open” if the MFA server is unreachable. Note: “fail open” can happen to any MFA implementation and is not exclusive to Duo.
After effectively disabling MFA, Russian state-sponsored cyber actors were able to successfully authenticate to the victim’s virtual private network (VPN) as non-administrator users and make Remote Desktop Protocol (RDP) connections to Windows domain controllers [T1133]. The actors ran commands to obtain credentials for additional domain accounts; then using the method described in the previous paragraph, changed the MFA configuration file and bypassed MFA for these newly compromised accounts. The actors leveraged mostly internal Windows utilities already present within the victim network to perform this activity.
Using these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to move laterally [TA0008] to the victim’s cloud storage and email accounts and access desired content.
Russian state-sponsored cyber actors executed the following processes:
ping.exe
- A core Windows Operating System process used to perform the Transmission Control Protocol (TCP)/IP Ping command; used to test network connectivity to a remote host [T1018] and is frequently used by actors for network discovery [TA0007].regedit.exe
- A standard Windows executable file that opens the built-in registry editor [T1112].rar.exe
- A data compression, encryption, and archiving tool [T1560.001]. Malicious cyber actors have traditionally sought to compromise MFA security protocols as doing so would provide access to accounts or information of interest.ntdsutil.exe
- A command-line tool that provides management facilities for Active Directory Domain Services. It is possible this tool was used to enumerate Active Directory user accounts [T1003.003].Actors modified the c:\windows\system32\drivers\etc\hosts file to prevent communication with the Duo MFA server:
127.0.0.1 api-<redacted>.duosecurity.com
The following access device IP addresses used by the actors have been identified to date:
45.32.137[.]94
191.96.121[.]162
173.239.198[.]46
157.230.81[.]39
The FBI and CISA recommend organizations remain cognizant of the threat of state-sponsored cyber actors exploiting default MFA protocols and exfiltrating sensitive information. Organizations should:
ntdsutil
, rar
, regedit
, etc.)._Note: If a domain controller compromise is suspected, a domain-wide password reset—including service accounts, Microsoft 365 (M365) synchronization accounts, and __krbtgt_
—will be necessary to remove the actors’ access. (For more information, see _https://docs.microsoft.com/en-us/answers/questions/87978/reset-krbtgt-password.html_ ). Consider soliciting support from a third-party IT organization to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.
FBI and CISA also recommend organizations implement the recommendations listed below to further reduce the risk of malicious cyber activity.
SYSVOL
share.With an increase in remote work environments and the use of VPN services, the FBI and CISA encourage organizations to implement the following best practices to improve network security:
Cyber actors frequently use unsophisticated methods to gain initial access, which can often be mitigated by stronger employee awareness of indicators of malicious activity. The FBI and CISA recommend the following best practices to improve employee operations security when conducting business:
All organizations should report incidents and anomalous activity to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected] and [email protected] or by calling 1-844-Say-CISA (1-844-729-2472).
See table 1 for the threat actors’ tactics and techniques identified in this CSA. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.
Table 1: Threat Actor MITRE ATT &CK Tactics and Techniques
Tactic | Technique |
---|---|
Initial Access [TA0001] | Valid Accounts [T1078] |
Persistence [TA0003] | External Remote Services [T1133] |
Modify Authentication Process [T1556] | |
Privilege Escalation [TA0004] | Exploitation for Privilege Escalation |
[T1068] | |
Defense Evasion [TA0005] | Modify Registry [T1112] |
Credential Access [TA0006] | Brute Force: Password Guessing [T1110.001] |
OS Credential Dumping: NTDS [T1003.003] | |
Discovery [TA0007] | Remote System Discovery [T1018] |
Lateral Movement [TA0008] | |
Collection [TA0009] | Archive Collected Data: Archive via Utility [T1560.001] |
March 15, 2022: Initial Version
attack.mitre.org/versions/v10/tactics/TA0001/
attack.mitre.org/versions/v10/tactics/TA0001/
attack.mitre.org/versions/v10/tactics/TA0003/
attack.mitre.org/versions/v10/tactics/TA0004/
attack.mitre.org/versions/v10/tactics/TA0004/
attack.mitre.org/versions/v10/tactics/TA0005/
attack.mitre.org/versions/v10/tactics/TA0006/
attack.mitre.org/versions/v10/tactics/TA0006/
attack.mitre.org/versions/v10/tactics/TA0007/
attack.mitre.org/versions/v10/tactics/TA0007/
attack.mitre.org/versions/v10/tactics/TA0008/
attack.mitre.org/versions/v10/tactics/TA0008/
attack.mitre.org/versions/v10/tactics/TA0009/
attack.mitre.org/versions/v10/techniques/enterprise/
attack.mitre.org/versions/v10/techniques/T1003/003/
attack.mitre.org/versions/v10/techniques/T1003/003/
attack.mitre.org/versions/v10/techniques/T1018/
attack.mitre.org/versions/v10/techniques/T1018/
attack.mitre.org/versions/v10/techniques/T1068/
attack.mitre.org/versions/v10/techniques/T1068/
attack.mitre.org/versions/v10/techniques/T1078/
attack.mitre.org/versions/v10/techniques/T1078/
attack.mitre.org/versions/v10/techniques/T1110/001/
attack.mitre.org/versions/v10/techniques/T1110/001/
attack.mitre.org/versions/v10/techniques/T1112/
attack.mitre.org/versions/v10/techniques/T1112/
attack.mitre.org/versions/v10/techniques/T1133/
attack.mitre.org/versions/v10/techniques/T1133/
attack.mitre.org/versions/v10/techniques/T1556/
attack.mitre.org/versions/v10/techniques/T1556/
attack.mitre.org/versions/v10/techniques/T1560/001/
attack.mitre.org/versions/v10/techniques/T1560/001/
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a
docs.microsoft.com/en-us/answers/questions/87978/reset-krbtgt-password.html
nvd.nist.gov/vuln/detail/CVE-2021-34527
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Russian%20State-Sponsored%20Cyber%20Actors%20Gain%20Network%20Access%20by%20Exploiting%20Default%20Multifactor%20Authentication%20Protocols%20and%20%E2%80%9CPrintNightmare%E2%80%9D%20Vulnerability+https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/uscert/ncas/alerts/aa22-011a
www.cisa.gov/uscert/russia
www.cisa.gov/uscert/shields-technical-guidance
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a&title=Russian%20State-Sponsored%20Cyber%20Actors%20Gain%20Network%20Access%20by%20Exploiting%20Default%20Multifactor%20Authentication%20Protocols%20and%20%E2%80%9CPrintNightmare%E2%80%9D%20Vulnerability
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a
www.oig.dhs.gov/
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Russian%20State-Sponsored%20Cyber%20Actors%20Gain%20Network%20Access%20by%20Exploiting%20Default%20Multifactor%20Authentication%20Protocols%20and%20%E2%80%9CPrintNightmare%E2%80%9D%20Vulnerability&body=www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.7%