Russia-linked attackers breach NGO by exploiting MFA, PrintNightmare vuln

State-sponsored threat actors from Russia over the last year breached a non-governmental organization (NGO) by leveraging multifactor authentication (MFA) defaults and exploiting the PrintNightmare vulnerability in Windows Print Spooler.

The US Cybersecurity and Infrastructure Security Agency (CISA) and FBI issued a joint alert on March 15 warning organizations that state-backed criminals could use the MFA defaults and flaw to access networks.

In this case, the unnamed cybercriminal gang took advantage of a misconfigured account to set default MFA protocols at the NGO.

The bad actors enrolled a new device for MFA and accessed the NGO's network and then exploited the PrintNightmare flaw – tracked as CVE-2021-34527 – to run malicious code and gain system privileges, giving them access to email accounts and enabling them to move laterally to the organization's cloud environment and to steal documents.

The attack started in May 2021. CISA and the FBI did not disclose how long the attack lasted nor the identity of the targeted NGO.

"At CISA, we are great believers in multifactor authentication," CISA director Jen Easterly said. "It remains one of the most effective measures individuals and organizations can take to reduce their risk to malicious cyber activity. This advisory demonstrates the imperative that organizations configure MFA properly to maximize effectiveness."

Aaron Turner, vice president of SaaS posture at cybersecurity firm Vectra, told The Register in an email that since 2020, Russia had "shown that they have developed significant capabilities to bypass MFA when it is poorly implemented or operated in a way that allows attackers to compromise material pieces of cloud identity supply chains.

He added: "This latest advisory shows that organizations who implemented MFA as a 'check the box' compliance solution are seeing the MFA vulnerability exploitation at scale."

The NGO attack illustrates why user account hygiene is important and why security patches need to be applied as quickly as possible, according to Mike Parkin, senior technical engineer at cybersecurity firm Vulcan Cyber.

"This breach by Russian state-sponsored actors relied on both a vulnerable account that should have been disabled entirely and an exploitable vulnerability in the target environment," Parkin told The Register in an email. "While the patch for [PrintNightmare] was only available after the initial attack, good account hygiene would have prevented the initial access the attackers used to execute the attack against the victim."

• PrintNightmare: Kicking users from Pre-Windows 2000 legacy group may thwart domain controller exploitation
• Leaked print spooler exploit lets Windows users remotely execute code as system on your domain controller
• IBM email fiasco complicates sales deals, is worse than biz is letting on – sources
• We've found another reason not to use Microsoft's Paint 3D – researchers

PrintNightmare is a remote code execution flaw in Microsoft's Windows Print Spooler Service that was discovered last summer and kicked off a number of printing-related security issues for the enterprise software and cloud giant.

Soon after its discovery, Microsoft issued a patch for the vulnerability.

The alert from CISA and the FBI comes amid heightened worries about cyberattacks linked to Russia and its invasion of neighboring Ukraine. Ukraine has come under steady assault from cyberattacks and there has been some spillover to companies in countries outside of Eastern Europe.

In the attack on the NGO, the bad actors used a brute-force password-guessing attack to access the organization's Duo MFA account with a simple and predictable password, according to the US agencies.

"The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory," according to the alert.

"As Duo's default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network."

The threat actors leveraged this to exploit the PrintNightmare vulnerability to gain administrator privileges and modified a domain controller to prevent the Duo MFA from contacting its server to validate the MFA login. The attackers authenticated the victim's virtual private network (VPN) as non-administrator users and made Remote Desktop Protocol (RDP) connections to Windows domain controllers. They then gained credentials for other domain accounts.

Bud Broomhead, CEO of cybersecurity vendor Viakoo, said organizations should expect to see more of this kind of attack vector. Patching printers and other Internet of Things devices is a high priority.

"SIM swapping is enabling more exploits to happen despite MFA being set up properly on devices that support MFA," Broomhead told The Register in an email. "Many IoT devices lack multifactor authentication, making it critically important that organizations have a strategy for enforcing corporate password policies across their fleets of IoT devices, including regular password rotations, complex passwords being used and coordinate of passwords with the applications using IoT devices."

"Industry-best practices go a long way toward preventing the kind of attack seen here," Vulcan Cyber's Parkin said. "Default configurations should be updated to a secure configuration. Systems should be configured to fail closed rather than open. Unused accounts should be disabled. Default accounts, if they need to remain in service, should have their passwords changed from the initial default to something secure. Patches should be deployed as soon as practical. Access should be restricted to the minimal required levels."

The PrintNightmare continues: Microsoft confirms presence of vulnerable code in all versions of Windows

READ MORE

Corey O'Connor, director of products at SaaS security vendor DoControl, added that access controls also are a key part of any mitigation strategy. Wrapping granular access controls around business-critical applications that include sensitive data would go a long way to preventing the data from being stolen.

"If MFA becomes compromised, there is still a lifeline through least privilege policy enforcement to minimize the access to that sensitive data," O'Connor told The Register in an email. "Potentially malicious or high-risk activity can be detected if the files are being accessed by unknown IP addresses or other parameters that present high levels of risk." ®