The FBI and Cybersecurity and Infrastructure Security Agency (CISA) detailed how Russian state-sponsored actors gained access to a non-governmental organization’s (NGO) network as a warning to others.
In the March 15 alert, CISA provided observed tactics and procedures, indicators of compromise, and recommendations to protect against Russian state-sponsored cyber activity.
As early as May 2021, the Russian cyber actors gained access to the NGO’s network by guessing the password of an inactive account to enroll a new device in the organization’s Duo MFA. The actors exploited the PrintNightmare vulnerability, which caused havoc in 2021, to get domain administrator access and redirected DUO MFA to disable multi-factor authentication for active accounts to add even more accounts. The threat actors were then able to move laterally to cloud storage and email accounts.
The alert didn’t detail what data, if any, was exfiltrated, but the FBI and CISA recommended what organizations should do, in addition to reminding them to “remain cognizant of the threat of state-sponsored cyber actors exploiting default MFA protocols and exfiltrating sensitive information, including:
- Enforce MFA for all users, without exception.
- Implement time-out and lock-out features in response to repeated failed login attempts.
- Ensure inactive accounts are disabled uniformly across the Active Directory, MFA systems etc.