Share this article on:
The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint cyber security advisory with technical details, mitigations and resources regarding previously demonstrated ability of Russian state-sponsored cyber actors to gain network access through exploitation of default multi-factor authentication (MFA) protocols and a known vulnerability in Windows Print Spooler, “PrintNightmare”.
As early as May 2021, the Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a non-governmental organisation, allowing them to enrol a new device for MFA and access the victim’s network. The actors then exploited a critical vulnerability “PrintNightmare” (CVE-2021-34527) to run arbitrary code with system privileges, and then were able to access cloud and email accounts for document exfiltration.
This advisory, titled “Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multi-factor Authentication Protocols and ‘PrintNightmare’ Vulnerability”, provides observed tactics, techniques and procedures (TTPs); indicators of compromise (IOCs); and mitigation recommendations. The FBI and CISA urge all organisations to take immediate action to protect against this malicious activity and apply recommended mitigations such as:
According to CISA director Jen Easterly, the organisation is a great believer in multi-factor authentication.
“It remains one of the most effective measures individuals and organisations can take to reduce their risk to malicious cyber activity,” Easterly said.
“This advisory demonstrates the imperative that organisations configure MFA properly to maximise effectiveness.
“Now, more than ever, organisations must put their shields up to protect against cyber intrusions, which means applying the mitigations in this advisory including enforcing MFA for all users without exception, patching known exploited vulnerabilities, and ensuring MFA is implemented securely.”
FBI Cyber Division assistant director Bryan Vorndran further explained that the FBI, alongside federal and international partners, aims to continue to pursue cyber actors who engage in this type of targeted malicious activity of unauthorised access and exfiltration of data.
“We encourage organisations who may have experienced this type of exploitation to report to the FBI and/or CISA and provide us with additional information so we can continue to deter and disrupt nation-state actors," Vorndran said.
“The FBI will not tolerate this type of criminal activity and we will use all of the tools in our tool belt to combat this threat.”
CISA has updated the Shields Up webpage to include new services and resources, recommendations for corporate leaders and chief executive officers, and actions to protect critical assets.
Additionally, CISA has created a new Shields Up Technical Guidance webpage that details other malicious cyber activity affecting Ukraine. The webpage includes technical resources from partners to assist organisations against these threats.
[Related: Cloudflare aiming to democratise and simplify email security]