Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.

The FBI and CISA released a warning today highlighting that state-sponsored threat actors in Russia were able to breach a non-governmental organization (NGO) using exploits of multifactor authentication (MFA) defaults and the critical vulnerability known as “PrintNightmare.”

The cyberattack “is a good example of why user account hygiene is so important, and why security patches need to go in as soon as is practical,” said Mike Parkin, senior technical engineer at cyber risk remediation firm Vulcan Cyber, in an email to VentureBeat.

“This breach relied on both a vulnerable account that should have been disabled entirely, and an exploitable vulnerability in the target environment,” Parkin said.

Security nightmare

“PrintNightmare” is a remote code execution vulnerability that has affected Microsoft’s Windows print spooler service. It was publicly disclosed last summer, and prompted a series of patches by Microsoft.


MetaBeat 2022

MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.

Register Here

According to today’s joint advisory from the FBI and CISA (the federal Cybersecurity and Infrastructure Security Agency), Russia-backed threat actors have been observed exploiting default MFA protocols with the “PrintNightmare” vulnerability. The threat actors were able to gain access to an NGO’s cloud and email accounts, move laterally in the organization’s network and exfiltrate documents, according to the FBI and CISA.

The advisory says the cyberattack targeting the NGO began as far back as May 2021. The location of the NGO and the full timespan over which the attack occurred were not specified.

CISA referred questions to the FBI, which did not immediately respond to a request for those details.

The warning comes as Russia continues its unprovoked assault on Ukraine, including with frequent cyberattacks. CISA has previously warned of the potential for cyberattacks originating in Russia to impact targets in the U.S. in connection with the war in Ukraine.

On CISA’s separate “Shields Up” page, the agency continues to hold that “there are no specific or credible cyber threats to the U.S. homeland at this time” in connection with Russia’s actions in Ukraine.

Weak password, MFA defaults

In the cyberattack against an NGO disclosed today by the FBI and CISA, the Russian threat actor used brute-force password guessing to compromise the account’s credentials. The password was simple and predictable, according to the advisory.

The account at the NGO had also been misconfigured, with default MFA protocols left in place, the FBI and CISA advisory says. This enabled the attacker to enroll a new device into Cisco’s Duo MFA solution — thus providing access to the NGO’s network, according to the advisory.

While requiring multiple forms of authentication at log-in is widely seen as an effective cybersecurity measure, in this case, the misconfiguration actually allowed MFA to be used as a key part of the attack.

“The victim account had been unenrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory,” the FBI and CISA said. “As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements and obtain access to the victim network.”

The Russia-backed attacker then exploited “PrintNightmare” to escalate their privileges to administrator; modified a domain controller file, disabling MFA; authenticated to the organization’s VPN; and made Remote Desktop Protocol (RDP) connections to Windows domain controllers.

“Using these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to move laterally to the victim’s cloud storage and email accounts and access desired content,” the FBI and CISA advisory says.

The FBI-CISA advisory includes a number of recommended best practices and indicators of compromise for security teams to utilize.

In a blog post, Cisco noted that “this scenario did not leverage or reveal a vulnerability in Duo software or infrastructure, but made use of a combination of configurations in both Duo and Windows that can be mitigated in policy.”

Growing threat

Ultimately, the FBI-CISA advisory recommends that “organizations remain cognizant of the threat of state-sponsored cyber actors exploiting default MFA protocols and exfiltrating sensitive information.”

In recent years, Russian threat actors have shown that they’ve developed “significant capabilities to bypass MFA when it is poorly implemented, or operated in a way that allows attackers to compromise material pieces of cloud identity supply chains,” said Aaron Turner, a vice president at AI-driven cybersecurity firm Vectra.

“This latest advisory shows that organizations who implemented MFA as a ‘check the box’ compliance solution are seeing the MFA vulnerability exploitation at scale,” Turner said in an email.

Going forward, you can “expect to see more of this type of attack vector,” said Bud Broomhead, CEO at IoT security vendor Viakoo.

“Kudos to CISA and FBI for keeping organizations informed and focused on what the most urgent cyber priorities are for organizations,” Broomhead said in an email. “All security teams are stretched thin, making the focus they provide extremely valuable.”

In light of this cyberattack by Russian threat actors, CISA director Jen Easterly today reiterated the call to businesses and government agencies to put “shields up” in the U.S. This effort should include “enforcing MFA for all users without exception, patching known exploited vulnerabilities and ensuring MFA is implemented securely,” Easterly said in a news release.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.