CISA/FBI Alert: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability

 Summary

The US CISA and FBI recently released a joint Cybersecurity Advisory ( Alert AA22-074A ) to warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default multifactor authentication (MFA) protocols and a known vulnerability. The actors subsequently successfully exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527), to run arbitrary code with system privileges. This campaign has been ongoing since at least May 2021 and was noted targeting a non-governmental organization (NGO) using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration. The advisory provides further details regarding observed tactics, techniques, and procedures (TTPs), as well as indicators of compromise and mitigations to protect against this threat.  Analysis Potential Impact Due to the sophisticated nature of state-sponsored attackers, successful entry into a targeted network could be devastating to targeted organizations. Persistent access could go undetected for extended periods of time, allowing attackers to move laterally through the network, harvest credentials for further access, and exfiltrate sensitive personal or proprietary information which can be further exploited – either for financial gain or for espionage purposes. Depending on the targeted organization, there could be significant geopolitical ramifications as well.   Recommendations The FBI and CISA urge all organizations to remain cognizant of the threat of state-sponsored cyber actors and urge organizations to apply the recommendations in the Mitigations section of the advisory, including the following: Enforce MFA and review configuration policies to protect against “fail open” and re-enrollment scenarios. Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems. Patch all systems. Prioritize patching for known exploited vulnerabilities. Please refer to the alert for detailed mitigation strategies. General information on Russian state-sponsored malicious cyber activity is available here. For more information on the threat of Russian state-sponsored malicious cyber actors to U.S. critical infrastructure, as well as additional mitigation recommendations, see AA22-011A: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure and the CISA Shields Up website. Recommends clients review the mitigation references available in the alert and apply any necessary software updates as soon as possible after appropriate evaluation and testing have been completed. References https://www.cisa.gov/uscert/ncas/alerts/aa22-074a https://www.cisa.gov/known-exploited-vulnerabilities-catalog https://www.cisa.gov/uscert/russia https://www.cisa.gov/uscert/ncas/alerts/aa22-011a https://www.cisa.gov/shields-up