Hackers Breach Multifactor Authentication

Uploaded on 2022-04-08 in TECHNOLOGY--Hackers, FREE TO VIEW

Hackers  been detected exploiting Multi-Factor Authentication (MFA) default  protocols with the “PrintNightmare” vulnerability. 

State-sponsored threat actors from Russia over the last year breached a non-governmental organisation (NGO) by leveraging multifactor authentication (MFA) defaults and exploiting the PrintNightmare vulnerability in Windows Print Spooler. 

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have analysed and released a serious concern about how Russian state-sponsored actors have gained access to an NGO's network.

CISA observed regular targeting of US Security Cleared Defense Contractors (CDCs) by Russian state-sponsored cyber actors. Microsoft has assigned CVE-2021-34527 to the print spooler remote code execution vulnerability known as "PrintNightmare" and confirmed that the offending code is lurking in all versions of Windows.

The hackers were able to gain access to an NGO’s cloud and email accounts, move laterally in the organisation’s network and exfiltrate documents, according to the FBI and CISA.

The actors have targeted both large and small CDCs and subcontractors with varying levels of cyber security protocols and resources. “Historically, Russian state-sponsored cyber actors have used common but effective tactics to gain access to target networks, including spearphishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security... These actors take advantage of simple passwords, unpatched systems, and unsuspecting employees to gain initial access before moving laterally through the network to establish persistence and exfiltrate data, “says the CISA.  

As early as May 2021, the hackers gained access to the NGO’s network by guessing the password of an inactive account to enroll a new device in the organisation’s Duo MFA. 

They exploited the PrintNightmare vulnerability, which caused havoc in 2021 before being patched, to get domain administrator access and redirected DUO MFA to disable multi-factor authentication for active accounts to add even more accounts. CISA do not give the details what data was exfiltrated, but the FBI and CISA recommended what organisations should do, in addition to reminding them to “remain cognisant of the threat of state-sponsored cyber actors including:

  • Enforce MFA for all users, without exception.
  • Implement time-out and lock-out features in response to repeated failed login attempts.
  • Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems.
  • Update software, including operating systems, applications, and firmware on IT network assets in a timely manner
  • Require all accounts with password logins
  • Continuously monitor network logs for suspicious activity and unauthorised or unusual login attempts.

The CISA advisory says the cyberattack targeting the NGO began as far back as May 2021. The location of the NGO and the full timespan over which the attack occurred were not specified. 

CISA:       Microsoft:   Venturebeat:     The Register:     

You Might Also Read: 

Two-Factor Authentication Matters More Than Ever:

 

« Protecting Your Business From A Supply Chain Attack
Technology’s Impact On Cyber Security »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Virtru

Virtru

Virtru's Data Protection platform protects and controls sensitive information regardless of where it's been created, stored or shared.

Cyphercor

Cyphercor

Cyphercor is a leading smartphone and desktop-based two-factor authentication (2FA) provider.

Culinda

Culinda

Culinda secures medical IoT devices in hospitals with An Artificial Intelligence platform and security gateway.

ResponSight

ResponSight

ResponSight is a data science company focusing specifically on the challenge of measuring risk and identifying changes in enterprise/corporate networks using behavioural analytics.

GreenWorld Technologies

GreenWorld Technologies

GreenWorld has a proven track record in industry leading IT asset management, secure data destruction and remarketing.

Utility Cyber Security Forum

Utility Cyber Security Forum

The Utility Cyber Security Forum offers a focused venue in which utility executives can network one-on-one with colleagues facing issues in protecting against cyber attacks.

Secure-IC

Secure-IC

Secure-IC provide end-to-end, best-of-breed security expertise, solutions, and hardware & software technologies, for embedded systems and connected objects.

Vivitec

Vivitec

Vivitec security services are tailored for your business, industry, risk, technology, and size to ensure great protection and planned response for the inevitable cyber-attacks on your business.

Privacyware

Privacyware

Privacyware's ThreatSentry combines a state-of-the-art Web Application Firewall and port-level firewall with advanced behavioral filtering to block unwanted IIS traffic and web application threats.

US Digital Corps

US Digital Corps

The U.S. Digital Corps is a new two-year fellowship for early-career technologists where you will work every day to make a difference in critical impact areas including cybersecurity.

eCentre@LindenPointe

eCentre@LindenPointe

The eCenter@LindenPointe provides assistance to the development, management and promotion of STEM (Science, Technology, Engineering, Mathematics) related business ventures.

Lupovis

Lupovis

Lupovis is an AI-based deception solution that deploys active decoys turning your network from a flock of sheep to a pack of wolves where the hunter becomes the hunted.

Tutanota

Tutanota

Tutanota is the world’s first end-to-end encrypted mail service that encrypts the entire mailbox.

Campus cyber

Campus cyber

A project initiated by the President of the Republic, the Cyber Campus is the totem site of cybersecurity that brings together the main national and international players in the field.

Vertex Cyber Security

Vertex Cyber Security

Vertex provide Cyber Security Services to small to large businesses including Advise, Consulting, Adding Security Partnership, Penetration Testing, ISO 27001-2 and Audits.

Excite Cyber

Excite Cyber

Excite Technology Services (formerly Cipherpoint) is focused on improving the security posture of our customers.