Russian nation-state hackers last spring capitalized on a misconfigured Cisco Duo multifactor authentication (MFA) account at a nongovernment organization and created their own device, with MFA, to infiltrate the victim’s network, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) warned this week in a joint advisory.
The attackers initially brute-forced their way to a set of user credentials that had been removed from the organization’s MFA. They created a rogue account and then used it to exploit a known Windows Print Spooler vulnerability, aka PrintNightmare (CVE-2021-34527), to run their code using privileged user access and were able to access cloud and email accounts as a way to steal documents.
“Russian state-sponsored cyber actors gained initial access [TA0001] to the victim organization via compromised credentials [T1078] and enrolling a new device in the organization’s Duo MFA. The actors gained the credentials [TA0006] via brute-force password guessing attack [T1110.001], allowing them access to a victim account with a simple, predictable password. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network,” the advisory says.
The FBI and CISA recommend reviewing MFA policies to prevent such a re-enrollment action, confirming that inactive accounts are disabled in Active Directory and MFA systems, and making sure all software is updated, patched, and not prone to known flaws.
Read More HERE