Russian State-Sponsored Cyber Actors Access Network Misconfigured with Default MFA Protocols
Mar 16, 2022 | Security Advisory
Summary
Actions to Take Today to Protect Against Russian State-Sponsored Malicious Cyber Activity
Immediately identify and patch software affected by the following exploitable vulnerability:
“PrintNightmare” (CVE-2021-34527)
Implement multi-factor authentication and review configuration policies to protect against “fail open” and re-enrollment scenarios.
Use strong, unique passwords.
Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems
Russian state-sponsored cyber actors exploited the “CVE-2021-34527” vulnerability utilizing Cisco’s Duo MFA, allowing access to cloud and email accounts for data exfiltration. CISA and FBI have released a joint Cybersecurity Advisory that points out how Russian state-sponsored cyber actors executed an attack by using misconfigured default multifactor authentication (MFA) protocols. The actors then exploited a critical “PrintNightmare” (CVE-2021-34527), to run arbitrary code with system privileges.
Indicators of Compromise
Threat Actor modified the c:\windows\system32\drivers\etc\hosts file to prevent communication with the Duo MFA server:
127.0.0.1 api-<redacted>.duosecurity.com
The following access device IP addresses used by the actors have been identified to date:
45.32.137[.]94
191.96.121[.]162
173.239.198[.]46
157.230.81[.]39
Disclaimer
The information provided in the Arcane Security Advisory is provided "as is" without warranty of any kind. Arcane disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Arcane or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Arcane or its suppliers have been advised of the possibility of such damages.
Tags: #rce #security-advisory #mfaHave questions? Let's talk