Threat Research

Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability | CISA

Securonix

FBI and CISA warn that Russian state-sponsored cyber actors gained network access by exploiting default MFA configurations and the PrintNightmare vulnerability, enabling document exfiltration from an NGO via compromised credentials and MFA bypass. The advisory outlines observed tactics, IOCs, and mitigations with emphasis on enforcing MFA, patching known flaws, and strengthening monitoring. #PrintNightmare #CVE-2021-34527 #DuoMFA #RussianStateSponsored #NGO #FBI #CISA

Keypoints

  • The actors gained initial access to the victim organization via compromised credentials and enrolling a new device in the organization’s Duo MFA.
  • Privilege escalation was achieved via exploiting the PrintNightmare vulnerability (CVE-2021-34527) to obtain administrator privileges.
  • The actors modified authentication flow by redirecting MFA calls to localhost, effectively bypassing MFA for active domain accounts due to the default “fail open” behavior.
  • Once MFA was bypassed, the group authenticated to the VPN and established RDP connections to Windows domain controllers to move laterally and obtain more credentials.
  • With MFA disabled for compromised accounts, the actors moved laterally to cloud storage and email accounts to exfiltrate documents.
  • Indicators of compromise include specific processes (ping.exe, regedit.exe, rar.exe, ntdsutil.exe), a modified hosts file (c:windowssystem32driversetchosts), and several IP addresses associated with the activity.

MITRE Techniques

  • [T1078] Valid Accounts – The actors gained initial access to the victim organization via compromised credentials and enrolling a new device in the organization’s Duo MFA. “gained initial access to the victim organization via compromised credentials [T1078] and enrolling a new device in the organization’s Duo MFA.”
  • [T1133] External Remote Services – Persistence via enrollment and use of MFA-related remote services to maintain access. “enrolling a new device in the organization’s Duo MFA.”
  • [T1556] Modify Authentication Process – The actors modified the authentication flow by redirecting MFA calls to localhost. “redirecting Duo MFA calls to localhost instead of the Duo server [T1556].”
  • [T1068] Exploitation for Privilege Escalation – Exploitation of the PrintNightmare vulnerability to obtain administrator privileges. “exploitation of the “PrintNightmare” vulnerability (CVE-2021-34527) [T1068] to obtain administrator privileges.”
  • [T1112] Modify Registry – Defense evasion via registry modification. “Modify Registry [T1112].”
  • [T1110.001] Brute Force: Password Guessing – Credential access via brute-force password guessing. “Brute-force password guessing attack [T1110.001].”
  • [T1003.003] OS Credential Dumping: NTDS – Credential access via NTDS dump. “OS Credential Dumping: NTDS [T1003.003].”
  • [T1018] Remote System Discovery – Discovery via remote system enumeration. “Remote System Discovery [T1018].”
  • [T1021.001] Remote Desktop Protocol – Lateral movement via RDP connections to domain controllers. “Remote Desktop Protocol (RDP) connections to Windows domain controllers.”
  • [T1560.001] Archive Collected Data: Archive via Utility – Data collection and exfiltration using archive utilities. “Archive Collected Data: Archive via Utility [T1560.001].”

Indicators of Compromise

  • [Process] ping.exe – Network connectivity testing and discovery use. Example: “ping.exe – A core Windows Operating System process used to perform the Transmission Control Protocol (TCP)/IP Ping command; used to test network connectivity to a remote host [T1018] and is frequently used by actors for network discovery [TA0007].”
  • [Process] regedit.exe – Registry editor access. Example: “regedit.exe – A standard Windows executable file that opens the built-in registry editor [T1112].”
  • [Process] rar.exe – Data archiving utility used in data handling. Example: “rar.exe – A data compression, encryption, and archiving tool [T1560.001].”
  • [Process] ntdsutil.exe – AD DS management tool possibly used for enumeration. Example: “ntdsutil.exe – A command-line tool that provides management facilities for Active Directory Domain Services. It is possible this tool was used to enumerate Active Directory user accounts [T1003.003].”
  • [File/Host] c:windowssystem32driversetchosts – Modified hosts file to bypass MFA checks. Example: “modified the domain controller file, c:windowssystem32driversetchosts, redirecting Duo MFA calls to localhost …”
  • [IP Address] 45.32.137[.]94, 191.96.121[.]162, 173.239.198[.]46, 157.230.81[.]39 – Actor-reported network endpoints associated with activity.

Read more: https://www.cisa.gov/uscert/ncas/alerts/aa22-074a