Russia-linked attackers breach NGO by exploiting MFA, PrintNightmare vuln

PrintNightmare is a remote code execution flaw in Microsoft's Windows Print Spooler Service that was discovered last summer and kicked off a number of printing-related security issues for the enterprise software and cloud giant.

Soon after its discovery, Microsoft issued a patch for the vulnerability.

The alert from CISA and the FBI comes amid heightened worries about cyberattacks linked to Russia and its invasion of neighboring Ukraine. Ukraine has come under steady assault from cyberattacks and there has been some spillover to companies in countries outside of Eastern Europe.

In the attack on the NGO, the bad actors used a brute-force password-guessing attack to access the organization's Duo MFA account with a simple and predictable password, according to the US agencies.

"The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory," according to the alert.

"As Duo's default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network."

The threat actors leveraged this to exploit the PrintNightmare vulnerability to gain administrator privileges and modified a domain controller to prevent the Duo MFA from contacting its server to validate the MFA login. The attackers authenticated the victim's virtual private network (VPN) as non-administrator users and made Remote Desktop Protocol (RDP) connections to Windows domain controllers. They then gained credentials for other domain accounts.

Bud Broomhead, CEO of cybersecurity vendor Viakoo, said organizations should expect to see more of this kind of attack vector. Patching printers and other Internet of Things devices is a high priority.

"SIM swapping is enabling more exploits to happen despite MFA being set up properly on devices that support MFA," Broomhead told The Register in an email. "Many IoT devices lack multifactor authentication, making it critically important that organizations have a strategy for enforcing corporate password policies across their fleets of IoT devices, including regular password rotations, complex passwords being used and coordinate of passwords with the applications using IoT devices."

"Industry-best practices go a long way toward preventing the kind of attack seen here," Vulcan Cyber's Parkin said. "Default configurations should be updated to a secure configuration. Systems should be configured to fail closed rather than open. Unused accounts should be disabled. Default accounts, if they need to remain in service, should have their passwords changed from the initial default to something secure. Patches should be deployed as soon as practical. Access should be restricted to the minimal required levels."