Hackers Breach Multifactor Authentication

Uploaded on 2022-04-08 in TECHNOLOGY--Hackers, FREE TO VIEW

Hackers  been detected exploiting Multi-Factor Authentication (MFA) default  protocols with the “PrintNightmare” vulnerability. 

State-sponsored threat actors from Russia over the last year breached a non-governmental organisation (NGO) by leveraging multifactor authentication (MFA) defaults and exploiting the PrintNightmare vulnerability in Windows Print Spooler. 

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have analysed and released a serious concern about how Russian state-sponsored actors have gained access to an NGO's network.

CISA observed regular targeting of US Security Cleared Defense Contractors (CDCs) by Russian state-sponsored cyber actors. Microsoft has assigned CVE-2021-34527 to the print spooler remote code execution vulnerability known as "PrintNightmare" and confirmed that the offending code is lurking in all versions of Windows.

The hackers were able to gain access to an NGO’s cloud and email accounts, move laterally in the organisation’s network and exfiltrate documents, according to the FBI and CISA.

The actors have targeted both large and small CDCs and subcontractors with varying levels of cyber security protocols and resources. “Historically, Russian state-sponsored cyber actors have used common but effective tactics to gain access to target networks, including spearphishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security... These actors take advantage of simple passwords, unpatched systems, and unsuspecting employees to gain initial access before moving laterally through the network to establish persistence and exfiltrate data, “says the CISA.  

As early as May 2021, the hackers gained access to the NGO’s network by guessing the password of an inactive account to enroll a new device in the organisation’s Duo MFA. 

They exploited the PrintNightmare vulnerability, which caused havoc in 2021 before being patched, to get domain administrator access and redirected DUO MFA to disable multi-factor authentication for active accounts to add even more accounts. CISA do not give the details what data was exfiltrated, but the FBI and CISA recommended what organisations should do, in addition to reminding them to “remain cognisant of the threat of state-sponsored cyber actors including:

  • Enforce MFA for all users, without exception.
  • Implement time-out and lock-out features in response to repeated failed login attempts.
  • Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems.
  • Update software, including operating systems, applications, and firmware on IT network assets in a timely manner
  • Require all accounts with password logins
  • Continuously monitor network logs for suspicious activity and unauthorised or unusual login attempts.

The CISA advisory says the cyberattack targeting the NGO began as far back as May 2021. The location of the NGO and the full timespan over which the attack occurred were not specified. 

CISA:       Microsoft:   Venturebeat:     The Register:     

You Might Also Read: 

Two-Factor Authentication Matters More Than Ever:

 

« Protecting Your Business From A Supply Chain Attack
Technology’s Impact On Cyber Security »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Cloud Security Alliance (CSA)

Cloud Security Alliance (CSA)

The CSA is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing

Fortify Experts

Fortify Experts

Fortify Experts is a search and recruitment firm specializing in Cyber Security.

ATSEC Information Security

ATSEC Information Security

ATSEC is an independent, privately-owned company that focuses on providing laboratory and consulting services for information security.

Visa

Visa

Visa is a global payments technology company that connects consumers, businesses and banks in more than 200 countries and territories worldwide.

ETAS

ETAS

ETAS (formerly Escrypt) is a pioneer and one of today’s leading solution providers for embedded IT security.

National Security Authority (NBU) - Slovakia

National Security Authority (NBU) - Slovakia

The National Security Authority (NBU) is the central government body in Slovakia for the Protection of Classified Information, Cryptographic Services, Trust Services and Cyber Security.

Cybertonica

Cybertonica

Cybertonica is a FinTech company which detects and prevents fraudulent transactions and reduces risk for financial services organisations.

Delfigo Security

Delfigo Security

Delfigo Security, a pioneer in intelligent authentication, provides a strong, multi-factor authentication solution to prevent identity theft and reduce fraud.

ditno

ditno

ditno uses machine learning to help you build a fully governed and micro-segmented network. Dramatically mitigate risk and prevent lateral movement across your organisation – all from one centralised

RevBits

RevBits

RevBits provides high-performance cybersecurity solutions including email security, endpoint security, deception technology and PAM solution to enterprise companies and public sector organizations.

Velta Technology

Velta Technology

Velta Technology provide digital safety and cybersecurity solutions for the industrial space.

LogicalTrust

LogicalTrust

LogicalTrust security testing specialists find the weakest points in your company and show you how to fix them step-by-step, as well as how to improve your security.

VikingCloud

VikingCloud

VikingCloud (formerly Sysnet Global Solutions) offers organizations an integrated cybersecurity and compliance solution to make informed, predictive, and cost-effective risk mitigation and prevention

LGMS - LE Global Services

LGMS - LE Global Services

LGMS is a leading cyber security penetration testing and assessment firm in the Asia Pacific region.

SecureStream Technologies

SecureStream Technologies

SecureStream Technologies have built the IoT SafetyNet - the Network Security Analytics platform to Eliminate Security Threats, Guarantee Privacy, Ensure Compliance, Simply & Easily.

Protecto

Protecto

Make privacy and governance effortless. Brakes allow you to drive faster. Stronger data privacy and security enable companies to unlock the full potential of the data.