Russian Cyber Actors Exploit MFA Protocols, PrintNightmare Vulnerability

March 17, 2022 - The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory to warn organizations of Russian state-sponsored threat actors who exploited default multifactor authentication (MFA) protocols. CISA and the FBI also observed the cyber actors exploiting PrintNightmare, a known software vulnerability.

HHS’ Health Sector Cybersecurity Coordination Center (HC3) echoed the warning with its own advisory to the healthcare and public health (HPH) sector.

As early as May 2021, the Russian state-sponsored threat actors targeted a non-governmental organization and exploited a misconfigured account set to default MFA protocols. The actors were able to enroll a new device to the MFA system and access the organization’s network.

Next, the threat actors leveraged PrintNightmare, a previously discovered Windows Print Spooler vulnerability, to run arbitrary code. The threat actors were able to use Cisco’s Duo MFA to gain access to the organization’s cloud environment and email accounts to exfiltrate documents.

The PrintNightmare vulnerability, first discovered in June 2021, is a high-severity remote code execution (RCE) vulnerability that occurs when the Windows Print Spooler service inappropriately performs privileged file operations, Microsoft explained.

“Russian state-sponsored cyber actors gained initial access to the victim organization via compromised credentials and enrolling a new device in the organization’s Duo MFA. The actors gained the credentials via brute-force password guessing attack, allowing them access to a victim account with a simple, predictable password,” CISA’s advisory explained.

“The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.”

PrintNightmare allowed the threat actors to perform privilege escalation and essentially disable MFA. The attackers were then able to move freely through the victim organization’s cloud environment and email accounts.

The advisory included a list of indicators of compromise (IOCs) for organizations to watch for. In addition, the FBI and CISA recommended that organizations:

• Enforce MFA for all users, without exception. Before implementing, organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios.
• Implement time-out and lock-out features in response to repeated failed login attempts.
• Ensure inactive accounts are disabled uniformly across the Active Directory, MFA systems etc.
• Update software, including operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities, especially critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
• Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.
• Continuously monitor network logs for suspicious activity and unauthorized or unusual login attempts.
• Implement security alerting policies for all changes to security-enabled accounts/groups, and alert on suspicious process creation events (ntdsutil, rar, regedit, etc.).

Although the advisory did not indicate that these tactics have impacted healthcare organizations, the healthcare sector and other critical infrastructure entities may become collateral damage amid growing geopolitical tensions between Russia and Ukraine.

CISA issued a “Shields Up” advisory to help organizations prepare for incoming cyber threats.

“Russia’s invasion of Ukraine could impact organizations both within and beyond the region, to include the U.S. homeland,” CISA stated. “Every organization—large and small—must be prepared to respond to disruptive cyber activity.”