Russian state-sponsored cyber actors have used misconfigured default multi-factor authentication (MFA) protocols to access networks and exploit the "Windows Print Spooler" vulnerability at a non-governmental organization (NGO), according to a joint Cybersecurity Advisory from the FBI and U.S. Cybersecurity & Infrastructure Security Agency (CISA). They did so as early as May 2021.By exploiting a misconfigured account set to default MFA protocols, the cyber actors were able to enroll a new device for MFA and access the victim's network, the advisory indicated. They then exploited PrintNightmare to run arbitrary code with system privileges.In addition, the cyber actors exploited PrintNightmare while targeting an NGO using Cisco Duo MFA, the advisory stated. As such, they were able to access cloud and email accounts for document exfiltration.CISA also provides publicly available, open-source intelligence and information regarding the Russian government's malicious cyber activities. Here, organizations can find intelligence and information on cyber threats attributed to Russian government actors and instructions on how to report related threat activity.
How to Protect Networks Against Russian State-Sponsored Cyber Actors
The FBI and CISA are encouraging organizations to do the following to protect their networks against Russian state-sponsored cyber actors:- Enforce MFA and review configuration policies to guard against "fail open" and re-enrollment scenarios.
- Ensure inactive accounts are disabled uniformly across Active Directory and MFA systems.
- Patch systems regularly and prioritize patching for known exploited vulnerabilities.




