CISA Alert AA22-074A – Russian state-sponsored cyber actors gain network access by exploiting default MFA protocols and “PrintNightmare” vulnerability.
This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack Zero Seven Four Alpha.
Original release date: March 15, 2022.
As early as May twenty twenty one, Russian state-sponsored cyber actors gained access to a non-governmental organization by exploiting a flaw in default multi-factor authentication settings, and moved laterally to the NGO’s cloud environment. The cyber actors successfully exploited a known vulnerability while targeting the NGO’s Cisco Duo MFA system, which enabled access to the organization’s cloud and email accounts for document exfiltration.
The Russian state-sponsored cyber actors took advantage of the MFA protocol’s default “fail open” and re-enrollment settings, allowing them to enroll a new device and access the victim’s network. The actors then exploited a critical Windows Print Spooler vulnerability known as PrintNightmare to run arbitrary code.
MFA is still one of the most effective tools to reduce the risk of intrusions when implemented correctly — according to industry research, users who enable MFA are up to 99 percent less likely to have an account compromised. Every organization should enforce MFA for all employees and customers, and every user should use MFA when available. Organizations that use MFA should review and modify default configurations to reduce the likelihood that a sophisticated adversary can circumvent this control.
FBI and CISA urge all organizations to implement the mitigations outlined in the alert, including:
- Enforce MFA for all users without exception.
- Review configuration policies to protect against “fail open” and re-enrollment conflicts.
- Implement time-out and lock-out features in response to repeated failed login attempts.
- Ensure inactive accounts are disabled uniformly across Active Directory and MFA systems.
- And, prioritize patching known exploited vulnerabilities, especially those that allow for remote code execution or denial-of-service on internet-facing equipment.
The alert documentation outlines observed tactics, techniques, and procedures, indicators of compromise, and recommendations to protect against this threat. For the full MITRE ATT&CK mapping for this event, see Appendix A in the alert documentation. For more information on Russian state-sponsored cyber activity, see CISA's Russia Cyber Threat Overview webpage. For additional mitigations, see the “Shields Up” Technical Guidance. Links to these resources can be found in the show notes.
All organizations should also report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.
This has been a CISA Cybersecurity Alert.