H-ISAC TLP White Threat FBI and CISA Release CSA on Russian State-Sponsored Cyber Actors Accessing Networks Misconfigured with Default MFA Protocols

The United States Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) to warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default multifactor authentication (MFA) protocols and a known vulnerability.

As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization (NGO) allowing them to enroll a new device for MFA and access the victim network. The actors then exploited a known Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527) to run arbitrary code and access 

the victim’s Google cloud and email accounts for document exfiltration.

CISA and FBI encourage all organizations to be cognizant of this threat and apply the recommended mitigations in this advisory. Health-ISAC is releasing this bulletin for your increased security awareness. The full joint CSA, with additional details, can be accessed here.

As early as May of 2021, the FBI observed Russian state-sponsored cyber actors gain access to an NGO, exploit a flaw in default MFA protocols, and move laterally to the NGO’s cloud environment. Russian state-sponsored cyber actors gained initial access to the victim organization via compromised credentials and enrolling a new device in the organization’s Duo MFA. The actors gained the credentials via brute-force password guessing attack, allowing them access to a victim account with a simple, predictable password. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.  

Using the compromised account, Russian state-sponsored cyber actors performed privilege escalation via exploitation of the “PrintNightmare” vulnerability (CVE-2021-34527)  to obtain administrator privileges. The actors also modified a domain controller file, c[:]\windows\system32\drivers\etc\hosts, redirecting Duo MFA calls to localhost instead of the Duo server. This change prevented the MFA service from contacting its server to validate MFA login—this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to “Fail open” if the MFA server is unreachable.

After effectively disabling MFA, Russian state-sponsored cyber actors were able to successfully authenticate to the victim’s virtual private network (VPN) as non-administrator users and make Remote Desktop Protocol (RDP) connections to Windows domain controllers. The actors ran commands to obtain credentials for additional domain accounts; then using the method described in the previous paragraph, changed the MFA configuration file and bypassed MFA for these newly compromised accounts. The actors leveraged mostly internal Windows utilities already present within the victim network to perform this activity.  Using these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to move laterally to the victim’s cloud storage and email accounts and access desired content.

View the detailed report below.