A joint cybersecurity advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warns that state-backed Russian hackers are actively exploiting a combination of MFA configuration vulnerabilities and the documented “PrintNightmare” exploit to penetrate networks and exfiltrate files and emails.
The advisory warns that this has been going on since May 2021 and highlights the importance of proper MFA configuration, and of regularly disabling inactive accounts.
Russian hackers break in via MFA configuration oversights
The technique used by the Russian hackers involves taking advantage of accounts that have errant MFA configurations, enabling them to enroll a new device in the system. Via that device, the attackers then leverage the “PrintNightmare” (CVE-2021-34527) exploit to execute arbitrary code and gain system access. The Russian hackers have been using this approach to steal files and access email accounts without being detected.
PrintNightmare is the critical Windows print spooler vulnerability that appeared in mid-2021 and that impacts nearly every version of the operating system ever released, causing Microsoft to go as far back as Windows 7 and Windows Server 2012 in issuing patches for it. The Windows printer manager (spoolsv.exe) can be manipulated to execute code with system-level privileges by any authenticated user that can reach it; the attacker can then gain access to the organizational Active Directory, essentially giving them free run of a Windows system.
According to the advisory, the first documented incidence of the Russian hackers making use of this MFA configuration-PrintNightmare technique was an attack on an unspecified NGO in May 2021. The attackers were in possession of compromised credentials from an inactive but valid account that reportedly had a “simple and predictable” password that was obtained via brute force guessing. The organization’s Duo MFA allowed for re-enrollment of a new device on this account, which was used to obtain a low-level authentication sufficient to make the PrintNightmare attack work.
Key to this approach is the “fail open” policy that some MFA implementations have, which instructs them to validate a login if the MFA server proves to be unreachable. Though Duo happened to be the one in place for this attack, “fail open” is possible with any type of MFA implementation.
Aaron Turner, Vice President of SaaS Posture at Vectra, advises entirely against any type of third party MFA provider (such as Duo): “Dating back to the March 2020 Dark Halo attacks, the Russians have shown that they have developed significant capabilities to bypass MFA when it is poorly implemented or operated in a way that allows attackers to compromise material pieces of cloud identity supply chains. This latest advisory shows that organizations who implemented MFA as a ‘check the box’ compliance solution are seeing the MFA vulnerability exploitation at scale. Dating back to the NSA’s December 2020 advisory, organizations have been put on notice that they should eliminate the use of 3rd party identity providers for critical systems. Duo is a 3rd party identity provider. Any organization that is not actively eliminating 3rd party identity providers from their cloud identity supply chains is going to run into increasing problems … As the NSA paper outlines, organizations should immediately disable all 3rd party identity providers from systems that host material identities and information. If that cannot be done for the general user population, it should be done for all privileged identities. Also, it is important to avoid the use of mobile authenticator apps for privileged identities. The race condition that mobile authenticators create is one that most security and mobile device management teams are not ready to handle because mobile device hygiene is so difficult. Using Yubikeys should be the de-facto standard for all privileged identities in cloud platforms.”
Mitigating the MFA/PrintNightmare attack
CISA is advising three primary mitigation measures to keep the Russian hackers at bay: review and enforce MFA configuration policies to ensure “fail open” and device re-enrollment are not possible, disable active accounts uniformly across the Active Directory and MFA systems, and keep up with security patching (especially those patches that address high-profile exploited vulnerabilities).
Other recommendations include enforcing MFA for all users without exception, ensure time-out and lock-out features are in place to counteract brute force and other password guessing attempts, require strong and unique passwords that are not reused, and implement security alerting policies for all changes to security-enabled accounts/groups and suspicious process creation events.
Some special recommendations were made for remote work environments: multi-factor authentication with physical security tokens or authenticator applications, monitoring of network traffic for unapproved and unexpected protocols, discontinuing unused VPN servers that are likely to be targeted by attackers, and regular updating and patching of devices and VPNs.
On the remote work front, Bud Broomhead (CEO at Viakoo) notes that MFA is increasingly being defeated by SIM swapping making both employee awareness and enhanced authentication features a major factor in shutting down these sorts of attacks: “Expect to see more of this type of attack vector. SIM swapping is enabling more exploits to happen despite MFA being set up properly on devices that support MFA. Many IoT devices lack multi-factor authentication, making it critically important that organizations have a strategy for enforcing corporate password policies across their fleets of IoT devices, including regular password rotations, complex passwords being used, and coordinate of passwords with the applications using IoT devices. Extending zero trust initiatives to include IoT devices is highly recommended to address the lack of MFA in many IoT devices.”
Corey O’Connor, Director of Products at DoControl, points out that this is also an opportunity to review access controls as MFA configuration is being addressed: “Access controls are a critical mitigation strategy that should not be overlooked. The detection and prevention of data exfiltration would be reduced through granular access controls wrapped around business critical applications that contain sensitive data and files. If MFA becomes compromised, there is still a lifeline through least privilege policy enforcement to minimize the access to that sensitive data. Potentially malicious or high-risk activity can be detected if the files are being accessed by unknown IP addresses, or other parameters that present high levels of risk.”
Needless to say, Windows systems should also be immediately secured by applying the PrintNightmare patches issued by Microsoft. However, these only date back to Windows 7. While older versions of Windows are incredibly dated at this point (and saw support end a decade or more ago), there are nevertheless legacy systems that continue to use versions such as XP and Vista here and there. If these systems do not require connections to printers, some sites suggest that the PrintNightmare vulnerability could be mitigated simply by entirely disabling or removing the Print Spooler service.
While CISA and other defense agencies are not currently advising a specific cyber threat to the US homeland related to the Ukraine war, state-backed Russian hackers are known to probe American government agencies and private companies as a routine matter of espionage. Previous advisories have suggested that US defense contractors are currently a target of interest to these groups, as are US companies that support elements of critical infrastructure.