The FBI and CISA issued a joint statement this week warning organizations that Russian-state sponsored threat actors gained access to an unnamed organization’s network by exploiting misconfigured default multifactor authentication (MFA) protocols in conjunction with CVE-2021-34527 (PrintNightmare) to run arbitrary code with administrative system privileges. The threat actors have been exploiting default Cisco’s Duo MFA protocols as early as May 2021.
According to Duo, once the threat actors gain administrative access to Windows domain controllers, they change two-factor authentication (2FA) configurations and bypass 2FA to gain access to cloud storage services and email accounts for document exfiltration. After the discovery, Duo released a public service announcement addressing the issue.
“This scenario did not leverage or reveal a vulnerability in Duo software or infrastructure but made use of a combination of configurations in 2FA (in this case Duo 2FA) and Windows native authentication workflows. This scenario can be mitigated through a policy configuration in Duo’s Admin. Duo recommends reviewing your configuration to make sure it meets your current business and security needs.” – Iva Blazina Vukelja (Senior Director of Product Management at Duo and Zero Trust)
CISA reported that the FBI observed threat actors gain access to an NGO (non-governmental organization), exploit a flaw in default MFA protocols, and move laterally to the NGO’s cloud environment. After gaining initial access through compromised credentials (obtained by brute-force password guessing), the threat actors enrolled a new device in their victim’s Duo MFA. The account that was compromised belonged to someone who had been un-enrolled from Duo due to a long period of inactivity, but the account wasn’t disabled in the Active Directory. Because Duo’s default configurations include allowing for re-enrollment of a new device for dormant accounts, the threat actors were able to enroll a new device, complete the authentication requirements, and gain access to their victim’s network.
Cyber security best practices are the safest way to keep your organization from becoming a victim of threat actors who may exploit this vulnerability. Disabling inactive accounts across the Active Directory or MFA systems is a basic cyber security policy that any organization can implement.
To mitigate the vulnerability, CISA and the FBI recommend the following:
Avertium encourages you follow cyber security best practices to keep your organization safe. CISA and the FBI recommend the following:
Network Best Practices
Remote Work Environment Best Practices
User Awareness Best Practices