Lucene search

K
thnThe Hacker NewsTHN:A52CF43B8B04C0A2F8413E17698F9308
HistoryMar 16, 2022 - 1:29 p.m.

FBI, CISA Warn of Russian Hackers Exploiting MFA and PrintNightmare Bug

2022-03-1613:29:00
The Hacker News
thehackernews.com
161

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

FBI, CISA and Russian Hackers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint advisory warning that Russia-backed threat actors hacked the network of an unnamed non-governmental entity by exploiting a combination of flaws.

“As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default [multi-factor authentication] protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network,” the agencies said.

“The actors then exploited a critical Windows Print Spooler vulnerability, ‘PrintNightmare’ (CVE-2021-34527) to run arbitrary code with system privileges.”

The attack was pulled off by gaining initial access to the victim organization via compromised credentials – obtained by means of a brute-force password guessing attack – and enrolling a new device in the organization’s Duo MFA.

It’s also noteworthy that the breached account was un-enrolled from Duo due to a long period of inactivity, but had not yet been disabled in the NGO’s Active Directory, thereby allowing the attackers to escalate their privileges using the PrintNightmare flaw and disable the MFA service altogether.

“As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network,” the agencies explained.

Turning off MFA, in turn, allowed the state-sponsored actors to authenticate to the NGO’s virtual private network (VPN) as non-administrator users, connect to Windows domain controllers via Remote Desktop Protocol (RDP), and obtain credentials for other domain accounts.

In the final stage of the attack, the newly compromised accounts were subsequently utilized to move laterally across the network to siphon data from the organization’s cloud storage and email accounts.

To mitigate such attacks, both CISA and FBI are recommending organizations to enforce and review multi-factor authentication configuration policies, disable inactive accounts in Active Directory, and prioritize patching for known exploited flaws.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C