Russia-backed Hackers Bypassed MFA, Exploited Print Vulnerability

Verification code on SMS or push message in smartphone and computer pc

Russian-backed cyber attackers penetrated the network of a private sector organization by exploiting default multi-factor authentication (MFA) protocols and leveraging a previously known print vulnerability, the Cybersecurity and Infrastructure Security Agency (CISA) said in a recent advisory.

The cyber break-in enabled the hackers--which began working the steal as early as May, 2021-- to enroll a new device for the non-governmental entity’s Cisco’s Duo MFA and gain access to the victim’s network. Once inside, the crew exploited a known critical vulnerability in Windows Print Spooler (CVE-2021-34527) to exfiltrate data in the victim’s cloud and email accounts.

The victim's account had been dis-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory, CISA said.

Here are more details of the operation:

  • The actors gained the credentials via brute-force password attack allowing them access to a victim account with a simple, predictable password.
  • Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts.
  • The actors also modified a domain controller file, redirecting Duo MFA calls to localhost instead of the Duo server, preventing the MFA service from contacting its server to validate MFA login. Note: The misconfiguration is not exclusive to Duo.
  • After effectively disabling MFA, the hackers successfully authenticated to the victim’s virtual private network (VPN) as non-administrator users and made Remote Desktop Protocol (RDP) connections to Windows domain controllers.
  • Leveraging mostly internal Windows tools in the victim’s network, the actors ran commands to obtain credentials for additional domain accounts, changed the MFA configuration file and bypassed MFA for the newly compromised accounts.

Solely relying on multi-factor authentication to protect network access from cyber actors and ransomware gangs is not enough, said Julia O'Toole, founder and chief executive of MyCena Security Solutions. “It is important for companies to understand that they must play a more active role in their own cyber-defense. With this MFA vulnerability, it proves even the most secure-seeming security methods will not stop attackers, especially those sponsored by the Russian state."

The FBI and CISA recommend organizations take the following seven measures to mitigate the MFA cyber threat:

  1. Enforce MFA for all users. Review configuration policies to protect against re-enrollment scenarios.
  2. Implement time-out and lock-out features in response to repeated failed login attempts.
  3. Ensure inactive accounts are disabled uniformly across the Active Directory, MFA systems etc.
  4. Update software, including operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities, especially critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
  5. Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.
  6. Continuously monitor network logs for suspicious activity and unauthorized or unusual login attempts.
  7. Implement security alerting policies for all changes to security-enabled accounts/groups, and alert on suspicious process creation events.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.