In a joint advisory, the FBI and CISA warned organisations to be on alert and bolster their multi-factor authentication security.
The US Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have warned organisations to take action after revealing details of how state-sponsored hackers in Russia were able to gain access to an unnamed NGO’s network
Published yesterday (15 March), a joint advisory alert detailed the vulnerabilities in multi-factor authentication (MFA) exploited by Russian hackers to access the NGO’s cloud and email accounts to extract sensitive documents.
🛡 Shields Up! Russian state-sponsored actors have exploited default Multi-Factor Authentication (MFA) protocols. Make sure your MFA protocols are configured properly! Read our latest advisory w/@FBI to defend your networks against this attack: https://t.co/zzY2gkxNkp pic.twitter.com/5m0150wj2O
— Cybersecurity and Infrastructure Security Agency (@CISAgov) March 15, 2022
The attack started as early as May last year, the agencies said, when the hackers took advantage of a misconfigured account set to default MFA protocols in the NGO’s systems. This allowed them to enrol a new device for MFA and access the network.
‘PrintNightmare’, a Windows Print Spooler vulnerability that can allow hackers to take over systems remotely, was then exploited to run arbitrary code with system privileges. The NGO was using Cisco’s Duo MFA.
How did they access the network?
The initial access to credentials for the misconfigured account was made using a brute-force password guessing attack, the US agencies said, “allowing them access to a victim account with a simple, predictable password”.
While this account had been un-enrolled from Duo after a long period of inactivity, the advisory noted that it was not disabled from the active directory – allowing for re-enrolment of new devices to dormant accounts. The hackers then modified a domain controller to redirect Duo MFA from contacting the server to validate the login.
“This effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to ‘fail open’ if the MFA server is unreachable,” the agencies noted, adding that ‘fail open’ can happen to any MFA service and is not exclusive to Duo.
The whole process culminated in Russian hackers moving freely around the NGO’s cloud storage and email accounts, gaining access to files.
“This exploit is an example of why organisations need to be extra vigilant and adopt a heightened cybersecurity posture that includes enforcing MFA and reviewing configuration to protect against ‘fail open’ and re-enrolment scenarios,” CISA said in a tweet.
FBI and CISA advice
Following this incident, the FBI and CISA have recommended that organisations “remain cognisant of the threat of state-sponsored cyber actors exploiting default MFA protocols and exfiltrating sensitive information”.
Organisations should enforce MFA for all users, without exception, and review configuration policies to protect against ‘fail open’ and re-enrolment scenarios, the advisory noted.
To prevent brute-force password guessing login attempts, organisations should also implement time-out and lock-out features, and ensure that inactive accounts are disabled uniformly across active directories.
Software should be regularly updated, included critical patches for known vulnerabilities such as PrintNightmare, and all passwords should be required to be strong and unique across systems.
The FBI and CISA recommended that organisations also continuously monitor network logs for suspicious activity and implement security alerting policies for all changes to security-enabled accounts.
Last week, US cybersecurity companies Cloudflare, CrowdStrike and Ping Identity said they would offer many of their products and services for free to US critical infrastructure organisations, such as hospitals and water and energy utilities, in anticipation of potential cyberattacks from Russia.
This followed a joint advisory last month, issued by cybersecurity authorities in the US, UK and Australia, warning of an increase in sophisticated, high-impact ransomware attacks on critical infrastructure globally.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.