The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) warned that Russia-linked threat actors have gained access to a non-governmental organization (NGO) cloud by exploiting misconfigured default multifactor authentication (MFA) protocols and enrolled their own device in the organization’s Cisco’s Duo MFA.
The nation-state actors gained access to the network by exploiting default MFA protocols and the Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527), reads the advisory.
As early as May 2021, the attackers took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network.
The exploitation of the PrintNightmare flaw allowed the attackers to run arbitrary code with system privileges. Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration.
In order to compromise the target network, the attackers conducted a brute-force password guessing attack against an un-enrolled and inactive account. Contrary to best practices recommended, the account was still active in the organization’s Active Directory.
“The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.” reads the joint advisory.
“Using the compromised account, Russian state-sponsored cyber actors performed privilege escalation via exploitation of the “PrintNightmare” vulnerability to obtain administrator privileges.”
Once obtained admin privileges the attackers modified a domain controller file to redirect Duo MFA calls to localhost instead of the legitimate Duo server to prevent the MFA service from contacting its server to validate MFA login.
This trick allowed the attackers to completely disable MFA for active domain accounts because the default policy of Duo for Windows is to “Fail open” if the MFA server is unreachable.
“After effectively disabling MFA, Russian state-sponsored cyber actors were able to successfully authenticate to the victim’s virtual private network (VPN) as non-administrator users and make Remote Desktop Protocol (RDP) connections to Windows domain controllers [T1133]. The actors ran commands to obtain credentials for additional domain accounts; then using the method described in the previous paragraph, changed the MFA configuration file and bypassed MFA for these newly compromised accounts.” continues the analysis. “The actors leveraged mostly internal Windows utilities already present within the victim network to perform this activity.”
FBI and CISA shared indicators of compromise for the above attack and provided the following recommendations in the join advisory:
(SecurityAffairs – hacking, Russia-linked threats actors)