CISA and FBI warning: Hackers used these tricks to dodge multi-factor authentication and steal email from NGO

Watch out for default configuration on MFA implementation.
Written by Liam Tung, Contributing Writer

Russian state-sponsored hackers have used a clever technique to disable multi-factor authentication (MFA) and exploit a Windows 10 printer spooler flaw to compromise networks and high-value domain accounts. The goal? Accessing the victim's cloud and email.  

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about Russian state-sponsored activity that pre-dates recent warnings over cyber activity related to Russia's military invasion of Ukraine. 

As early as May 2021, the hackers combined a default configuration issue in a Duo MFA setup at a non-government organization (NGO) with the critical Windows 10 PrintNightmare flaw CVE-2021-34481 to compromise it. 

SEE: There's a critical shortage of women in cybersecurity, and we need to do something about it

Microsoft patched that elevation of privilege issue in August. Once inside a network, the flaw allowed an attacker to create new accounts on Windows 10 machines. 

In the NGO's case, the use of a weak password allowed the attackers to use a password-guessing attack to gain the credentials for initial access. The attackers also used the fact that Duo's default configuration setting allows the enrollment of a new device for dormant accounts.  

"Russian state-sponsored cyber actors gained initial access to the victim organization via compromised credentials and enrolling a new device in the organization's Duo MFA. The actors gained the credentials via brute-force password guessing attack, allowing them access to a victim account with a simple, predictable password," CISA said in an alert.   

After compromising the account, PrintNightmare came into play, with the attackers using it to escalate privileges to a more powerful admin level and then "effectively" disabled MFA for the compromised account.

"This change prevented the MFA service from contacting its server to validate MFA login – this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to "Fail open" if the MFA server is unreachable," CISA explains. 

It notes that the "fail open" issue is not specific to Duo. 

From there, the operation was repeated but applied to higher-value domain accounts. After disabling MFA, the attackers authenticated to the victim's VPN as non-administrator users and made RDP connections to the Windows domain controllers. They nabbed credentials for additional domain accounts and went on to change the MFA configuration file, allowing them to bypass MFA for these newly compromised accounts. 

"Using these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to move laterally to the victim's cloud storage and email accounts and access desired content," CISA explains.  

CISA outlines several mitigations related to and beyond MFA implementations. The MFA-specific mitigations include: 

  • Before implementing, organizations should review configuration policies to protect against "fail open" and re-enrollment scenarios.
  • Implement time-out and lock-out features in response to repeated failed login attempts.
  • Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems.
  • Updating software and prioritizing patching of known exploited vulnerabilities, especially critical and high-level vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
  • Require service accounts, admin accounts, and domain admin accounts to have strong, unique passwords. 
Editorial standards