US security agencies reveal that Russian hackers breach MFA, PrintNightmare vulnerability in NGO network

U.S. security agencies released a joint cybersecurity advisory (CSA) warning organizations of Russian state-sponsored hackers having gained network access to a non-governmental organization (NGO). The adversaries gained access by exploiting default multi-factor authentication (MFA) protocols and a Windows Print Spooler ‘PrintNightmare’ vulnerability that runs arbitrary code with system privileges. Following the exploitation of the flaw in default MFA protocols, the adversaries moved laterally to the NGO’s cloud environment.

“As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network,” the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) said in their CSA on Tuesday. 

“The actors then exploited a critical Windows Print Spooler vulnerability, ‘PrintNightmare’ (CVE-2021-34527) to run arbitrary code with system privileges. Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration,” it added.

FBI and CISA urge organizations to enforce various mitigations, including implementing MFA and reviewing configuration policies to protect against ‘fail open’ and re-enrollment scenarios. Enterprises must also ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems and patch all systems while prioritizing patching for known exploited vulnerabilities.

Russian state-sponsored cybercriminals gained initial access to the victim organization using compromised credentials and enrolled a new device in the organization’s Duo MFA, the advisory said. The hackers gained the credentials using a brute-force password guessing attack, allowing them access to a victim account with a simple, predictable password. 

“The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory,” according to the advisory. “As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network,” it added.  

The advisory said that using the compromised account Russian state-sponsored cyber hackers performed privilege escalation by exploiting the PrintNightmare vulnerability to obtain administrator privileges. The hackers also modified a domain controller file, ‘c:\windows\system32\drivers\etc\hosts,’ redirecting Duo MFA calls to localhost instead of the Duo server, it added. 

“This change prevented the MFA service from contacting its server to validate MFA login—this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to ‘Fail open’ if the MFA server is unreachable,” it added.

After disabling MFA, Russian hackers were able to authenticate to the victim’s virtual private network (VPN) as non-administrator users and make Remote Desktop Protocol (RDP) connections to Windows domain controllers, the advisory said. The hackers ran commands to obtain credentials for additional domain accounts, then changed the MFA configuration file and bypassed MFA for these newly compromised accounts. The hackers leveraged mostly internal Windows utilities already present within the victim network to perform this activity, it added.  

Using these compromised accounts without MFA enforced, the Russian hackers were able to move laterally to the victim’s cloud storage and email accounts and access desired content.

The security agencies had in a recent advisory revealed that the Conti hackers also exploited vulnerabilities in unpatched assets to escalate privileges and move laterally across a victim’s network, the alert said. The vulnerabilities included the 2017 Microsoft Windows Server Message Block 1.0 server vulnerabilities, PrintNightmare vulnerability in Windows Print spooler service, and ‘Zerologon’ vulnerability in Microsoft Active Directory Domain Controller systems, it added.

Earlier this week, the U.S. Department of Homeland Security (DHS) received a letter from a bipartisan group of 22 senators requesting a briefing on the department’s efforts to protect the nation’s public and private sector enterprises from the Russian government’s cyber and disinformation threats. The senators’ request for information on efforts to protect critical infrastructure and businesses from retaliatory Russian cyberattacks came after the U.S. announced trade and energy penalties on Russia and approved US$14 billion in aid for Ukraine.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.