Russia-linked threats actors exploited default MFA protocol and PrintNightmare bug to compromise NGO cloud

FBI and CISA warn Russia-linked threats actors gained access to an NGO cloud after enrolling their own device in the organization’s Duo MFA.

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA)  warned that Russia-linked threat actors have gained access to a non-governmental organization (NGO) cloud by exploiting misconfigured default multifactor authentication (MFA) protocols and enrolled their own device in the organization’s Cisco’s Duo MFA.

The nation-state actors gained access to the network by exploiting default MFA protocols and the Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527), reads the advisory.

As early as May 2021, the attackers took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network.

The exploitation of the PrintNightmare flaw allowed the attackers to run arbitrary code with system privileges. Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration.

In order to compromise the target network, the attackers conducted a brute-force password guessing attack against an un-enrolled and inactive account. Contrary to best practices recommended, the account was still active in the organization’s Active Directory.

“The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.” reads the joint advisory.  

“Using the compromised account, Russian state-sponsored cyber actors performed privilege escalation via exploitation of the “PrintNightmare” vulnerability to obtain administrator privileges.”

Once obtained admin privileges the attackers modified a domain controller file to redirect Duo MFA calls to localhost instead of the legitimate Duo server to prevent the MFA service from contacting its server to validate MFA login.

This trick allowed the attackers to completely disable MFA for active domain accounts because the default policy of Duo for Windows is to “Fail open” if the MFA server is unreachable. 

“After effectively disabling MFA, Russian state-sponsored cyber actors were able to successfully authenticate to the victim’s virtual private network (VPN) as non-administrator users and make Remote Desktop Protocol (RDP) connections to Windows domain controllers [T1133]. The actors ran commands to obtain credentials for additional domain accounts; then using the method described in the previous paragraph, changed the MFA configuration file and bypassed MFA for these newly compromised accounts.” continues the analysis. “The actors leveraged mostly internal Windows utilities already present within the victim network to perform this activity.”

FBI and CISA shared indicators of compromise for the above attack and provided the following recommendations in the join advisory:

• Enforce MFA for all users, without exception. Before implementing, organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios.
• Implement time-out and lock-out features in response to repeated failed login attempts.
• Ensure inactive accounts are disabled uniformly across the Active Directory, MFA systems etc.
• Update software, including operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities, especially critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
• Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.
• Continuously monitor network logs for suspicious activity and unauthorized or unusual login attempts.
• Implement security alerting policies for all changes to security-enabled accounts/groups, and alert on suspicious process creation events (ntdsutil, rar, regedit, etc.).

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Russia-linked threats actors)

[adrotate banner=”5″]

[adrotate banner=”13″]