Russia State-Sponsored Hackers Used Misconfigured MFA to Breach NGO

  /     /     /  
Publicated : 23/11/2024   Category : security

Russia State-Sponsored Hackers Used Misconfigured MFA to Breach NGO


FBI and CISA warn of attack on multifactor authentication account to exploit PrintNightmare exploit.


Russian nation-state hackers last spring capitalized on a misconfigured Cisco Duo multifactor authentication (MFA) account at a nongovernment organization and created their own device, with MFA, to infiltrate the victims network, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) warned this week in a joint advisory.
The attackers initially brute-forced their way to a set of user credentials that had been removed from the organizations MFA. They created a rogue account and then used it to exploit a known Windows Print Spooler vulnerability, aka PrintNightmare (CVE-2021-34527), to run their code using privileged user access and were able to access cloud and email accounts as a way to steal documents. 
Russian state-sponsored cyber actors gained initial access [
TA0001
] to the victim organization via compromised credentials [
T1078
] and enrolling a new device in the organization’s Duo MFA. The actors gained the credentials [
TA0006
] via brute-force password guessing attack [
T1110.001
], allowing them access to a victim account with a simple, predictable password. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network, 
the advisory says
.
The FBI and CISA recommend reviewing MFA policies to prevent such a re-enrollment action, confirming that inactive accounts are disabled in Active Directory and MFA systems, and making sure all software is updated, patched, and not prone to known flaws.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Russia State-Sponsored Hackers Used Misconfigured MFA to Breach NGO