{"id":45748,"date":"2022-03-16T16:36:57","date_gmt":"2022-03-16T16:36:57","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/33215\/Russia-Linked-Attackers-Breach-NGO-By-Exploiting-MFA-PrintNightmare-Vuln.html"},"modified":"2022-03-16T16:36:57","modified_gmt":"2022-03-16T16:36:57","slug":"russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\/","title":{"rendered":"Russia-Linked Attackers Breach NGO By Exploiting MFA, PrintNightmare Vuln"},"content":{"rendered":"<p>State-sponsored threat actors from Russia over the last year breached a non-governmental organization (NGO) by leveraging multifactor authentication (MFA) defaults and exploiting the <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2021\/07\/02\/printnightmare_cve\/\" rel=\"noopener\">PrintNightmare<\/a> vulnerability in Windows Print Spooler.<\/p>\n<p>The US Cybersecurity and Infrastructure Security Agency (CISA) and FBI <a href=\"https:\/\/www.cisa.gov\/news\/2022\/03\/15\/mitigating-threats-posed-russian-state-sponsored-cyber-actors-exploitation-default\" rel=\"nofollow\">issued a joint alert<\/a> on March 15 warning organizations that state-backed criminals could use the MFA defaults and flaw to access networks.<\/p>\n<p>In this case, the unnamed cybercriminal gang took advantage of a misconfigured account to set default MFA protocols at the NGO.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YjLKTwvMmHcGFbggd81aYQAAAEs&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YjLKTwvMmHcGFbggd81aYQAAAEs&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>The bad actors enrolled a new device for MFA and accessed the NGO&#8217;s network and then exploited the PrintNightmare flaw \u2013 <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-34527\" rel=\"nofollow\">tracked as CVE-2021-34527<\/a> \u2013 to run malicious code and gain system privileges, giving them access to email accounts and enabling them to move laterally to the organization&#8217;s cloud environment and to steal documents.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44YjLKTwvMmHcGFbggd81aYQAAAEs&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44YjLKTwvMmHcGFbggd81aYQAAAEs&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33YjLKTwvMmHcGFbggd81aYQAAAEs&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33YjLKTwvMmHcGFbggd81aYQAAAEs&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>The attack started in May 2021. CISA and the FBI did not disclose how long the attack lasted nor the identity of the targeted NGO.<\/p>\n<p>&#8220;At CISA, we are great believers in multifactor authentication,&#8221; CISA director Jen Easterly said. &#8220;It remains one of the most effective measures individuals and organizations can take to reduce their risk to malicious cyber activity. This advisory demonstrates the imperative that organizations configure MFA properly to maximize effectiveness.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44YjLKTwvMmHcGFbggd81aYQAAAEs&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44YjLKTwvMmHcGFbggd81aYQAAAEs&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Aaron Turner, vice president of SaaS posture at cybersecurity firm Vectra, told <em>The Register<\/em> in an email that since 2020, Russia had &#8220;shown that they have developed significant capabilities to bypass MFA when it is poorly implemented or operated in a way that allows attackers to compromise material pieces of cloud identity supply chains.<\/p>\n<p>He added: &#8220;This latest advisory shows that organizations who implemented MFA as a &#8216;check the box&#8217; compliance solution are seeing the MFA vulnerability exploitation at scale.&#8221;<\/p>\n<p>The NGO attack illustrates why user account hygiene is important and why security patches need to be applied as quickly as possible, according to Mike Parkin, senior technical engineer at cybersecurity firm Vulcan Cyber.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33YjLKTwvMmHcGFbggd81aYQAAAEs&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33YjLKTwvMmHcGFbggd81aYQAAAEs&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>&#8220;This breach by Russian state-sponsored actors relied on both a vulnerable account that should have been disabled entirely and an exploitable vulnerability in the target environment,&#8221; Parkin told <em>The Register<\/em> in an email. &#8220;While the patch for [PrintNightmare] was only available after the initial attack, good account hygiene would have prevented the initial access the attackers used to execute the attack against the victim.&#8221;<\/p>\n<p>PrintNightmare is a remote code execution flaw in Microsoft&#8217;s Windows Print Spooler Service that was discovered last summer and kicked off a <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2021\/06\/30\/windows_print_spool_vuln_rce\/\" rel=\"noopener\">number of printing-related security issues<\/a> for the enterprise software and cloud giant.<\/p>\n<p>Soon after its discovery, Microsoft issued a patch for the vulnerability.<\/p>\n<p>The alert from CISA and the FBI comes amid heightened worries about <a href=\"https:\/\/www.theregister.com\/2022\/02\/28\/russia_information_security\/\">cyberattacks linked to Russia<\/a> and its invasion of neighboring Ukraine. Ukraine has come under steady assault from cyberattacks and there has been some <a href=\"https:\/\/www.theregister.com\/2022\/03\/11\/russia-invasion-cyber-war-rages\/\">spillover to companies<\/a> in countries outside of Eastern Europe.<\/p>\n<p>In the attack on the NGO, the bad actors used a brute-force password-guessing attack to access the organization&#8217;s Duo MFA account with a simple and predictable password, according to the US agencies.<\/p>\n<p>&#8220;The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory,&#8221; according to the alert.<\/p>\n<p>&#8220;As Duo&#8217;s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.&#8221;<\/p>\n<p>The threat actors leveraged this to exploit the PrintNightmare vulnerability to gain administrator privileges and modified a domain controller to prevent the Duo MFA from contacting its server to validate the MFA login. The attackers authenticated the victim&#8217;s virtual private network (VPN) as non-administrator users and made Remote Desktop Protocol (RDP) connections to Windows domain controllers. They then gained credentials for other domain accounts.<\/p>\n<p>Bud Broomhead, CEO of cybersecurity vendor Viakoo, said organizations should expect to see more of this kind of attack vector. Patching printers and other Internet of Things devices is a high priority.<\/p>\n<p>&#8220;SIM swapping is enabling more exploits to happen despite MFA being set up properly on devices that support MFA,&#8221; Broomhead told <em>The Register<\/em> in an email. &#8220;Many IoT devices lack multifactor authentication, making it critically important that organizations have a strategy for enforcing corporate password policies across their fleets of IoT devices, including regular password rotations, complex passwords being used and coordinate of passwords with the applications using IoT devices.&#8221;<\/p>\n<p>&#8220;Industry-best practices go a long way toward preventing the kind of attack seen here,&#8221; Vulcan Cyber&#8217;s Parkin said. &#8220;Default configurations should be updated to a secure configuration. Systems should be configured to fail closed rather than open. Unused accounts should be disabled. Default accounts, if they need to remain in service, should have their passwords changed from the initial default to something secure. Patches should be deployed as soon as practical. Access should be restricted to the minimal required levels.&#8221;<\/p>\n<div class=\"promo_article\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/regmedia.co.uk\/2016\/05\/05\/cthulu.jpg?x=174&amp;amp;y=115&amp;amp;crop=1\" width=\"174\" height=\"115\" alt=\"Cthulu emerges from a printer. Image created by illustrator Andy Davies. Copyright: The Register\"><\/p>\n<h2 title=\"That printer plugged into your domain controller? Yeah, you might not be using that for a while\">The PrintNightmare continues: Microsoft confirms presence of vulnerable code in all versions of Windows<\/h2>\n<p><a href=\"https:\/\/www.theregister.com\/2021\/07\/02\/printnightmare_cve\/\"><span>READ MORE<\/span><\/a><\/div>\n<p>Corey O&#8217;Connor, director of products at SaaS security vendor DoControl, added that access controls also are a key part of any mitigation strategy. Wrapping granular access controls around business-critical applications that include sensitive data would go a long way to preventing the data from being stolen.<\/p>\n<p>&#8220;If MFA becomes compromised, there is still a lifeline through least privilege policy enforcement to minimize the access to that sensitive data,&#8221; O&#8217;Connor told <em>The Register<\/em> in an email. &#8220;Potentially malicious or high-risk activity can be detected if the files are being accessed by unknown IP addresses or other parameters that present high levels of risk.&#8221; \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/33215\/Russia-Linked-Attackers-Breach-NGO-By-Exploiting-MFA-PrintNightmare-Vuln.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[277],"tags":[9889],"class_list":["post-45748","post","type-post","status-publish","format-standard","hentry","category-cybersecurity-blogs","tag-headlinehackergovernmentrussiacyberwar"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Russia-Linked Attackers Breach NGO By Exploiting MFA, PrintNightmare Vuln 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Russia-Linked Attackers Breach NGO By Exploiting MFA, PrintNightmare Vuln 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-03-16T16:36:57+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YjLKTwvMmHcGFbggd81aYQAAAEs&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Russia-Linked Attackers Breach NGO By Exploiting MFA, PrintNightmare Vuln\",\"datePublished\":\"2022-03-16T16:36:57+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\\\/\"},\"wordCount\":955,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YjLKTwvMmHcGFbggd81aYQAAAEs&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"keywords\":[\"headline,hacker,government,russia,cyberwar\"],\"articleSection\":[\"CyberSecurity Blogs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\\\/\",\"name\":\"Russia-Linked Attackers Breach NGO By Exploiting MFA, PrintNightmare Vuln 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YjLKTwvMmHcGFbggd81aYQAAAEs&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2022-03-16T16:36:57+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YjLKTwvMmHcGFbggd81aYQAAAEs&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YjLKTwvMmHcGFbggd81aYQAAAEs&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,government,russia,cyberwar\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackergovernmentrussiacyberwar\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Russia-Linked Attackers Breach NGO By Exploiting MFA, PrintNightmare Vuln\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Russia-Linked Attackers Breach NGO By Exploiting MFA, PrintNightmare Vuln 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\/","og_locale":"en_US","og_type":"article","og_title":"Russia-Linked Attackers Breach NGO By Exploiting MFA, PrintNightmare Vuln 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-03-16T16:36:57+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YjLKTwvMmHcGFbggd81aYQAAAEs&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Russia-Linked Attackers Breach NGO By Exploiting MFA, PrintNightmare Vuln","datePublished":"2022-03-16T16:36:57+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\/"},"wordCount":955,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YjLKTwvMmHcGFbggd81aYQAAAEs&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","keywords":["headline,hacker,government,russia,cyberwar"],"articleSection":["CyberSecurity Blogs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\/","url":"https:\/\/www.threatshub.org\/blog\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\/","name":"Russia-Linked Attackers Breach NGO By Exploiting MFA, PrintNightmare Vuln 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YjLKTwvMmHcGFbggd81aYQAAAEs&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2022-03-16T16:36:57+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YjLKTwvMmHcGFbggd81aYQAAAEs&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YjLKTwvMmHcGFbggd81aYQAAAEs&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/russia-linked-attackers-breach-ngo-by-exploiting-mfa-printnightmare-vuln\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,government,russia,cyberwar","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackergovernmentrussiacyberwar\/"},{"@type":"ListItem","position":3,"name":"Russia-Linked Attackers Breach NGO By Exploiting MFA, PrintNightmare Vuln"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/45748","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=45748"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/45748\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=45748"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=45748"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=45748"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}