Russia-linked attackers breach NGO by exploiting MFA, PrintNightmare vuln

Patch flaws and enforce authentication policies, CISA and FBI warn

State-sponsored threat actors from Russia over the last year breached a non-governmental organization (NGO) by leveraging multifactor authentication (MFA) defaults and exploiting the PrintNightmare vulnerability in Windows Print Spooler.

The US Cybersecurity and Infrastructure Security Agency (CISA) and FBI issued a joint alert on March 15 warning organizations that state-backed criminals could use the MFA defaults and flaw to access networks.

In this case, the unnamed cybercriminal gang took advantage of a misconfigured account to set default MFA protocols at the NGO.

The bad actors enrolled a new device for MFA and accessed the NGO's network and then exploited the PrintNightmare flaw – tracked as CVE-2021-34527 – to run malicious code and gain system privileges, giving them access to email accounts and enabling them to move laterally to the organization's cloud environment and to steal documents.

The attack started in May 2021. CISA and the FBI did not disclose how long the attack lasted nor the identity of the targeted NGO.

"At CISA, we are great believers in multifactor authentication," CISA director Jen Easterly said. "It remains one of the most effective measures individuals and organizations can take to reduce their risk to malicious cyber activity. This advisory demonstrates the imperative that organizations configure MFA properly to maximize effectiveness."

Aaron Turner, vice president of SaaS posture at cybersecurity firm Vectra, told The Register in an email that since 2020, Russia had "shown that they have developed significant capabilities to bypass MFA when it is poorly implemented or operated in a way that allows attackers to compromise material pieces of cloud identity supply chains.

He added: "This latest advisory shows that organizations who implemented MFA as a 'check the box' compliance solution are seeing the MFA vulnerability exploitation at scale."

The NGO attack illustrates why user account hygiene is important and why security patches need to be applied as quickly as possible, according to Mike Parkin, senior technical engineer at cybersecurity firm Vulcan Cyber.

"This breach by Russian state-sponsored actors relied on both a vulnerable account that should have been disabled entirely and an exploitable vulnerability in the target environment," Parkin told The Register in an email. "While the patch for [PrintNightmare] was only available after the initial attack, good account hygiene would have prevented the initial access the attackers used to execute the attack against the victim."

PrintNightmare is a remote code execution flaw in Microsoft's Windows Print Spooler Service that was discovered last summer and kicked off a number of printing-related security issues for the enterprise software and cloud giant.

Soon after its discovery, Microsoft issued a patch for the vulnerability.

The alert from CISA and the FBI comes amid heightened worries about cyberattacks linked to Russia and its invasion of neighboring Ukraine. Ukraine has come under steady assault from cyberattacks and there has been some spillover to companies in countries outside of Eastern Europe.

In the attack on the NGO, the bad actors used a brute-force password-guessing attack to access the organization's Duo MFA account with a simple and predictable password, according to the US agencies.

"The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory," according to the alert.

"As Duo's default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network."

The threat actors leveraged this to exploit the PrintNightmare vulnerability to gain administrator privileges and modified a domain controller to prevent the Duo MFA from contacting its server to validate the MFA login. The attackers authenticated the victim's virtual private network (VPN) as non-administrator users and made Remote Desktop Protocol (RDP) connections to Windows domain controllers. They then gained credentials for other domain accounts.

Bud Broomhead, CEO of cybersecurity vendor Viakoo, said organizations should expect to see more of this kind of attack vector. Patching printers and other Internet of Things devices is a high priority.

"SIM swapping is enabling more exploits to happen despite MFA being set up properly on devices that support MFA," Broomhead told The Register in an email. "Many IoT devices lack multifactor authentication, making it critically important that organizations have a strategy for enforcing corporate password policies across their fleets of IoT devices, including regular password rotations, complex passwords being used and coordinate of passwords with the applications using IoT devices."

"Industry-best practices go a long way toward preventing the kind of attack seen here," Vulcan Cyber's Parkin said. "Default configurations should be updated to a secure configuration. Systems should be configured to fail closed rather than open. Unused accounts should be disabled. Default accounts, if they need to remain in service, should have their passwords changed from the initial default to something secure. Patches should be deployed as soon as practical. Access should be restricted to the minimal required levels."

Cthulu emerges from a printer. Image created by illustrator Andy Davies. Copyright: The Register

The PrintNightmare continues: Microsoft confirms presence of vulnerable code in all versions of Windows


Corey O'Connor, director of products at SaaS security vendor DoControl, added that access controls also are a key part of any mitigation strategy. Wrapping granular access controls around business-critical applications that include sensitive data would go a long way to preventing the data from being stolen.

"If MFA becomes compromised, there is still a lifeline through least privilege policy enforcement to minimize the access to that sensitive data," O'Connor told The Register in an email. "Potentially malicious or high-risk activity can be detected if the files are being accessed by unknown IP addresses or other parameters that present high levels of risk." ®

Other stories you might like

  • IBM finally shutters Russian operations, lays off staff
    Axing workers under 40 must feel like a novel concept for Big Blue

    After freezing operations in Russia earlier this year, IBM has told employees it is ending all work in the country and has begun laying off staff. 

    A letter obtained by Reuters sent by IBM CEO Arvind Krishna to staff cites sanctions as one of the prime reasons for the decision to exit Russia. 

    "As the consequences of the war continue to mount and uncertainty about its long-term ramifications grows, we have now made the decision to carry out an orderly wind-down of IBM's business in Russia," Krishna said. 

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • OMIGOD: Cloud providers still using secret middleware
    All the news you may have missed from RSA this week

    RSA Conference in brief Researchers from Wiz, who previously found a series of four serious flaws in Azure's Open Management Infrastructure (OMI) agent dubbed "OMIGOD," presented some related news at RSA: Pretty much every cloud provider is installing similar software "without customer's awareness or explicit consent."

    In a blog post accompanying the presentation, Wiz's Nir Ohfeld and Shir Tamari say that the agents are middleware that bridge customer VMs and the provider's other managed services. The agents are necessary to enable advanced VM features like log collection, automatic updating and configuration syncing, but they also add new potential attack surfaces that, because customers don't know about them, can't be defended against.

    In the case of OMIGOD, that included a bug with a 9.8/10 CVSS score that would let an attacker escalate to root and remotely execute code. Microsoft patched the vulnerabilities, but most had to be applied manually.

    Continue reading

Biting the hand that feeds IT © 1998–2022