Russian state-sponsored cyber actors have used misconfigured default multi-factor authentication (MFA) protocols to access networks and exploit the "Windows Print Spooler" vulnerability at a non-governmental organization (NGO), according to a joint Cybersecurity Advisory from the FBI and U.S. Cybersecurity & Infrastructure Security Agency (CISA). They did so as early as May 2021.
By exploiting a misconfigured account set to default MFA protocols, the cyber actors were able to enroll a new device for MFA and access the victim's network, the advisory indicated. They then exploited PrintNightmare to run arbitrary code with system privileges.
In addition, the cyber actors exploited PrintNightmare while targeting an NGO using Cisco Duo MFA, the advisory stated. As such, they were able to access cloud and email accounts for document exfiltration.
How to Protect Networks Against Russian State-Sponsored Cyber Actors
The FBI and CISA are encouraging organizations to do the following to protect their networks against Russian state-sponsored cyber actors:
- Enforce MFA and review configuration policies to guard against "fail open" and re-enrollment scenarios.
- Ensure inactive accounts are disabled uniformly across Active Directory and MFA systems.
- Patch systems regularly and prioritize patching for known exploited vulnerabilities.
CISA also provides publicly available, open-source intelligence and information regarding the Russian government's malicious cyber activities. Here, organizations can find intelligence and information on cyber threats attributed to Russian government actors and instructions on how to report related threat activity.
Cybersecurity Companies to Help Organizations Protect Against Russian Cyber Threats
Cloudflare, CrowdStrike and Ping Identity in March 2022 announced a Critical Infrastructure Defense Project. Together, these companies are providing free cybersecurity services to help MSSPs and other organizations mitigate cyber risks amid Russia's invasion of Ukraine.
Meanwhile, to stay up to date on cyber incidents relating to Russia’s invasion of Ukraine, track CISA alerts. Also, check out our Russian-Ukraine conflict timeline, which is updated regularly.