Feds Issue Security Alert About MFA Bypass and Vulnerability Exploitation

State-sponsored Russian hackers have bypassed multi-factor authentication and exploited the PrintNightmare vulnerability in an attack on a non-governmental organization (NGO), according to a recent security alert from the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA).

The attack in question occurred in May 2021. The hackers gained a foothold in the network in a brute force attack and guessed a weak and predictable password. The hackers then identified an account that was inactive and had been removed from the multi-factor authentication system but had not been removed from Active Directory. They were able to re-enroll the account into the MFA system as if the genuine account user were doing so. Since their own device was enrolled on the MFA system, they were able to bypass MFA controls.

Next, the cyber actors exploited the PrintNightmare vulnerability to get domain administrative access, then altered the configuration to the MFA system to stop it from working. This was achieved by redirecting the Cisco Duo MFA calls to localhost rather than the Duo server. They were then able to authenticate to the virtual private network as non-administrative users, connect to Windows domain controllers via RDP, and obtain credentials for other domain accounts. They were then free to peruse the network and moved laterally to the cloud environment and email accounts, where they were able to exfiltrate sensitive data.

The NGO was attacked by a Russian state-sponsored hacking group, but Russian Advanced Persistent Threat actors are not the only adversaries using these tactics. There are important lessons to be learned from this attack, and mitigations that should be implemented to prevent these tactics from succeeding.

Gaining an initial foothold in the network was simple. Brute force attacks succeed because users often choose weak passwords. It can be difficult to think of a good password to use, especially as employees need to create passwords for many different accounts. Secure password generators offer a solution – they create random strings of characters that are resistant to brute force attacks. Password generators are a feature of password managers, which securely store those passwords and auto-fill them, so they never need to be remembered. A user only needs to create a long passphrase to access their password vault. If you do not yet provide a password manager to your employees, you should certainly consider making one available.

Brute force attacks involve lots of guesses at a password until the correct one is found. The fact that the brute force attack succeeded suggests a lock-out feature was not in place that kicks in after a set number of failed login attempts. Ensure this is set up and monitor logs to determine if attempts are being made to hack into accounts.

Another security failure that was exploited was not removing old, inactive accounts. These should be removed from both the MFA system and Active Directory. A review of accounts should be regularly conducted to ensure no inactive, unused accounts have been missed.

Multi-factor authentication should be enforced on all accounts, but this attack shows that MFA can be bypassed if it is not set up correctly. The MFA system – in this instance it was Cisco Duo but it applies to any MFA system – was configured to fail open. That means that if there is an issue with the system and it stops working, MFA will not be applied. While this could cause headaches, it is better to lock people out until the issue is fixed than remove the protection MFA offers. Fail closed is much better for security. You should also review configuration policies covering re-enrollment into the MFA system.

Implementing security alerting policies for all changes to security-enabled accounts/groups and alerts on suspicious process creation events are also important, as they will alert security teams to a potential attack in progress.

After the attackers gained a foothold in the network, they exploited an unpatched vulnerability, although other vulnerabilities could potentially be exploited that will provide attackers with the access they need to the network. It is important to ensure that patches and operating system updates are applied promptly and to first address known exploited vulnerabilities.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news