Russian State-Sponsored Cyber Actors Access Network Misconfigured with Default MFA Protocols

Mar 16, 2022 | Security Advisory

Summary 

Actions to Take Today to Protect Against Russian State-Sponsored Malicious Cyber Activity 

  •  Immediately identify and patch software affected by the following exploitable vulnerability:  

“PrintNightmare” (CVE-2021-34527)

  • Implement multi-factor authentication and review configuration policies to protect against “fail open” and re-enrollment scenarios.

  • Use strong, unique passwords. 

  • Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems

Russian state-sponsored cyber actors exploited the “CVE-2021-34527” vulnerability utilizing Cisco’s Duo MFA, allowing access to cloud and email accounts for data exfiltration. CISA and FBI have released a joint Cybersecurity Advisory that points out how Russian state-sponsored cyber actors executed an attack by using misconfigured default multifactor authentication (MFA) protocols. The actors then exploited a critical “PrintNightmare” (CVE-2021-34527), to run arbitrary code with system privileges.

Indicators of Compromise

Threat Actor modified the c:\windows\system32\drivers\etc\hosts file to prevent communication with the Duo MFA server:

  • 127.0.0.1 api-<redacted>.duosecurity.com 

The following access device IP addresses used by the actors have been identified to date:

  • 45.32.137[.]94

  • 191.96.121[.]162

  • 173.239.198[.]46

  • 157.230.81[.]39 

Disclaimer

The information provided in the Arcane Security Advisory is provided "as is" without warranty of any kind. Arcane disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Arcane or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Arcane or its suppliers have been advised of the possibility of such damages.

Tags: #rce #security-advisory #mfa

Have questions? Let's talk

Arcane experts are ready to answer your questions