The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint advisory warning that Russia-backed threat actors hacked the network of an unnamed non-governmental entity by exploiting a combination of flaws.
“As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default [multi-factor authentication] protocols at a non-governmental organization (NGO), allowing them to enrol a new device for MFA and access the victim network,” the agencies said.
“The actors then exploited a critical Windows Print Spooler vulnerability, ‘PrintNightmare’ (CVE-2021-34527) to run arbitrary code with system privileges.”
The attack was pulled off by gaining initial access to the victim organization via compromised credentials – obtained by means of a brute-force password guessing attack – and enrolling a new device in the organization’s Duo MFA.
It’s also noteworthy that the breached account was un-enrolled from Duo due to a long period of inactivity, but had not yet been disabled in the NGO’s Active Directory, thereby allowing the attackers to escalate their privileges using the PrintNightmare flaw and disable the MFA service altogether.
images from Hacker News