CISA & FBI Cyber Alert: Hackers deploying new tactics to bypass MFA and gain access to NGO’s emails and cloud
Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert related state sponsored hackers. State sponsored hackers were found to successfully gain entry into Non Government Organization (NGO) by combining two known exploits.
Hackers have combined default configuration issue in Duo MFA with critical Windows 10 PrintNightmare flaw CVE-2021-34481 to compromise the NGO’s environment.
In the NGO’s case, the weak password allowed the attackers to launch a password attack to gain the credentials for initial access. Hackers knew that Duo’s default configuration setting allows the enrollment of a new device for dormant accounts.
“Russian state-sponsored cyber actors gained initial access to the victim organization via compromised credentials and enrolling a new device in the organization’s Duo MFA. The actors gained the credentials via brute-force password guessing attack, allowing them access to a victim account with a simple, predictable password,” CISA mentioned in the alert.
After taking over the account, PrintNightmare issue of Windows 10 came handy, with the attackers using it to elevate their privileges to a more powerful admin level and then “effectively” disabled MFA for the compromised account.
“This change prevented the MFA service from contacting its server to validate MFA login – this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to “Fail open” if the MFA server is unreachable,” CISA said.
CISA said, “fail open” issue is not specific to Duo.
Entire operation was used again and again to higher-value domain accounts. After overpowering the MFA, the attackers authenticated to the victim’s VPN as non-administrator users and made RDP connections to the Windows domain controllers. They got the credentials for additional domain accounts and changed the MFA configuration, allowing them to bypass MFA for newly compromised accounts.
“Using these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to move laterally to the victim’s cloud storage and email accounts and access desired content,” CISA disclosed.
CISA has released several mitigation practices related to and beyond MFA implementations. The MFA-specific mitigations include:
- Before implementing, organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios.
- Implement time-out and lock-out features in response to repeated failed login attempts.
- Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems.
- Updating software and prioritizing patching of known exploited vulnerabilities, especially critical and high-level vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
- Require service accounts, admin accounts, and domain admin accounts to have strong, unique passwords.
Industry experts have long recommended to patch the default security configurations and keep innovating to stay secure in increasingly challenging world that has went online with high velocity in the post pandemic era.
Nehal Mehta, the President of Rainbow Secure said, We recognized the upcoming cyber challenges to digital transformation and business operations in cloud very early on. We have done years of security research and developed modern platform to secure business and keep data secure.
She mentioned rainbow secure is always on a mission to secure the digital transformation dream and enable the technology for good. She further highlighted that Rainbow Secure provides defense against the very attack methods used in these attacks. Rainbow Secure Identity & Single sign on login solutions are available for applications, mobile apps and business services. You no longer have to be on the mercy of the device, or the host operation system provided user identity directory. They provide multi-layer multi-factor defense against brute-force, phishing, automated credential stuffing, SMIShing and many other cyber-attacks. AI monitoring, Risk Analytics, geo fencing and interactive login experience ensures cyber risk elimination at scale.
Rainbow Secure invites you to integrate, connect and secure your cloud hosting, network tools, applications and business services running in cloud, on premise and closed networks with one unified business login powered by interactive graphical rainbow secure technology solutions. Neither long complex passwords nor captcha is going to save you.
If you support or manage application security, infrastructure Security, for your organization or for your clients, contact us today. We are here to help you discover your options to stay safe against new cyber threats and help build the plan of action for cyber resilient business operations. Increase cyber defense but not user stress. Provide best user experience with security compliance.
Why now? Hackers don’t wait to upgrade, neither should you. Stay Cyber Safe and have a good day.
#MFAAttack #WindowsBug #BruteforcePrevention #PhishingMitigation #StayCyberSafe #CyberNews #RainbowSecure #InfrastructureSecurity #HackingNews #Cybersecurity #CISA #FBI #Infragard #IdentityManagement #SingleSignon
News Credit: CISA, Zdnet