FBI and CISA Issue Advisory Over Multi-Factor Authentication Flaw Abused By Russian Hackers
The US Cybersecurity and Infrastructure Security Agency (CISA) and FBI released an alert about a Russian state-backed activity that allowed hackers to bypass multi-factor authentication (MFA) and exploit a security flaw to compromise networks. The security advisory indicates that the cyberattacks targeting a non-governmental organization (NGO) started back in May 2021.
The threat actors leveraged a “misconfigured” account setting to set default MFA protocols and then enrolled a new device to access the NGO’s network. Once done, the cyber attackers exploited a previously disclosed critical Windows 10 PrintNightmare flaw (CVE-2021-34481) to run malicious code with system privileges.
“The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network,” CISA explained.
Additionally, the Russian threat actors managed to modify a domain controller file to prevent the Duo MFA from contacting its server for authentication. With MFA disabled, the attackers authenticated the NGO’s VPN as non-administrators and established connections to the Windows domain controllers via Remote Desktop Protocol (RDP).
“Using these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to move laterally to the victim’s cloud storage and email accounts and access desired content,” CISA added.
The FBI-CISA advisory outlines mitigation measures to prevent Russian attackers from exploiting MFA Flaw
The cyber security advisory outlines several best practices that should help security teams to protect their organizations from Russian state-sponsored cyber attacks. It recommends that government and agencies should enforce MFA for all users, patch known exploited vulnerabilities on all systems, and enable security features such as time-out and lock-out. Furthermore, IT Admins are advised to make sure all inactive accounts are disabled uniformly across the Active Directory (AD) and MFA systems.
More in Security
CISA Warns Unpatched VMware Servers Remain Vulnerable to Log4Shell
Jun 24, 2022 | Rabia Noureen
QNAP Releases Patch to Fix PHP Security Flaw Affecting Select NAS Devices
Jun 23, 2022 | Rabia Noureen
Microsoft Unveils New Edge Secured-Core IoT Devices to Block Firmware Attacks
Jun 22, 2022 | Rabia Noureen
QNAP Warns NAS Users About New DeadBolt Ransomware Campaign
Jun 20, 2022 | Rabia Noureen
Microsoft Defender for Individuals is Now Available on Desktop and Mobile
Jun 16, 2022 | Rabia Noureen
Microsoft Acquires Foreign Cyber Threat Analysis Company Miburo
Jun 15, 2022 | Rabia Noureen
Most popular on petri