Agencies warn of Russian hacker threat on MFA

New warnings have been issued by US Federal agencies about the increased threat of Russian cyber attackers. The latest warning pertains to multi-factor authentication. Please read on for more details.

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new security alert in conjunction with the FBI. It highlights the experience of a non-governmental organisation (NGO) which fell victim to Russian hackers.

The hackers exploited default multi-factor authentication (MFA) settings and then used the “PrintNightmare” bug which exploits a vulnerability in Windows print spooler. In this way, they were able to access the NGO’s cloud and email accounts. They then moved laterally over the network to exfiltrate documents.

The Russian hacking threat via MFA

CISA’s announcement explained the attackers’ approach. The NGO was using the “Duo” multi-factor authentication management tool. A user account had been un-enrolled from Duo following a long period of inactivity. However, that user account had not been disabled in Active Directory.

Because Duo’s default configuration settings allow for the re-enrolment of a new device for dormant accounts, the actors were able to enrol a new device for the account, complete the authentication requirements and obtain access to the victim network.

The hackers then used the compromised account to exploit a known Windows vulnerability.

The hackers exploited a known vulnerability

Once the Russian hackers had compromised the user account, they used it to exploit the known Windows print spooler. Although Microsoft released a fix for this vulnerability in the summer of 2021, the NGO had failed to act. This left it open to attack.

CISA explained, “Russian state-sponsored cyber actors performed privilege escalation via exploitation of the ‘PrintNightmare’ vulnerability (CVE-2021-34527) to obtain administrator privileges. The actors also modified a domain controller file, c:\windows\system32\drivers\etc\hosts, redirecting Duo MFA calls to localhost instead of the Duo server. This change prevented the MFA service from contacting its server to validate MFA login—this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to ‘Fail open’ if the MFA server is unreachable. Note: ‘fail open’ can happen to any MFA implementation and is not exclusive to Duo.”

What could have helped to prevent the attack?

It’s clear that there are two very important precautions that could have helped prevent the hackers being successful.

• Do not rely on default configurations when installing any software or hardware onto your network.

• Always update software and operating systems as soon as you can. Have a process (ideally an automated process) for making sure this happens in a timely and comprehensive way.

Multi-factor authentication is an important tool for protecting your devices and network from unauthorised access. However, organisations must set up MFA correctly and properly enable and enforce it.

The original vulnerability in this attack arose because of the default settings of the MFA tool used by the organisation. The settings should have been amended to prevent “fail open”. If your IT administrators aren’t familiar with a tool when implementing it, it is always useful to get advice first – either from the vendor itself or from an expert third party (such as Grant McGregor).

The importance of good user management

Another important element of cyber security that this attack highlights is the need for a clearly defined and comprehensive leavers policy. This must be adhered to fully. And it must relate not only to user administration but also to all devices and hardware given network access.

Here, the user had been de-enrolled from the MFA software, but not Active Directory – giving the hackers another “in”.

If you aren’t sure about how to manage network access and user rights, you can find some essential information in our blogs about two-factor authentication, best practice in user account management and how to secure your network peripherals.

Advice from CISA & the FBI and advice from the NCSC

In response to the attack on the NGO, CISA and the FBI highlighted a number of actions that organisations must take. This included:

• Enforce MFA for all users – without exception

• Make sure your MFA is set up correctly – to prevent “fail open” and re-enrolment

• Disable inactive accounts – on all relevant systems, including Active Directory

• Update software – especially when there are known security flaws

• Monitor network logs for unusual activity

• Automate network monitoring where possible and apply alerts

Earlier this year, the UK’s National Cyber Security Centre added its voice to the warnings about state-sponsored cybercrime. At the time, it reiterated the need to:

• Patch all systems

• Prioritise the patching of vulnerabilities that are known to have been exploited

• Implement multi-factor authentication

• Use anti-virus software

What next?

If you are concerned that your organisation may be vulnerable in any of the scenarios discussed in this article, please reach out to our team. We are always happy to offer advice.

You can reach us on: 0808 164 4142 or better yet, book yourself a 15 minute security chat...

If you know that you are vulnerable, please take action immediately – whether that is to check the settings of your MFA, review network devices and user accounts, or to patch and update all systems.

You’ll also find valuable advice about how you can protect your organisation against the Russian threat on our blog.

Did you know that the NCSC recently updated the Cyber Essentials scheme to more closely reflect the new threat landscape? You can also discover the full details about this on our blog.