Overview
The FBI and CISA issued a joint statement this week warning organizations that Russian-state sponsored threat actors gained access to an unnamed organization’s network by exploiting misconfigured default multifactor authentication (MFA) protocols in conjunction with CVE-2021-34527 (PrintNightmare) to run arbitrary code with administrative system privileges. The threat actors have been exploiting default Cisco’s Duo MFA protocols as early as May 2021.
According to Duo, once the threat actors gain administrative access to Windows domain controllers, they change two-factor authentication (2FA) configurations and bypass 2FA to gain access to cloud storage services and email accounts for document exfiltration. After the discovery, Duo released a public service announcement addressing the issue.
“This scenario did not leverage or reveal a vulnerability in Duo software or infrastructure but made use of a combination of configurations in 2FA (in this case Duo 2FA) and Windows native authentication workflows. This scenario can be mitigated through a policy configuration in Duo’s Admin. Duo recommends reviewing your configuration to make sure it meets your current business and security needs.” – Iva Blazina Vukelja (Senior Director of Product Management at Duo and Zero Trust)
CISA reported that the FBI observed threat actors gain access to an NGO (non-governmental organization), exploit a flaw in default MFA protocols, and move laterally to the NGO’s cloud environment. After gaining initial access through compromised credentials (obtained by brute-force password guessing), the threat actors enrolled a new device in their victim’s Duo MFA. The account that was compromised belonged to someone who had been un-enrolled from Duo due to a long period of inactivity, but the account wasn’t disabled in the Active Directory. Because Duo’s default configurations include allowing for re-enrollment of a new device for dormant accounts, the threat actors were able to enroll a new device, complete the authentication requirements, and gain access to their victim’s network.
Cyber security best practices are the safest way to keep your organization from becoming a victim of threat actors who may exploit this vulnerability. Disabling inactive accounts across the Active Directory or MFA systems is a basic cyber security policy that any organization can implement.
How Avertium is Protecting Our Customers:
- Implement XDR as a prevention method. Our XDR is a combination of monitoring software like LogRhythm, Microsoft Azure Sentinel, or AlienVault, combined with endpoint protection such as SentinelOne. XDR platforms enable cybersecurity through a technology focus by collecting, correlating, and analyzing event data from any source on the network. This includes endpoints, applications, network devices, and user interactions.
- MDR provides an in-depth investigation into potential threats on an organization’s network. Avertium’s risk-based approach to managed security delivers the right combination of technology, field-validated threat intelligence, and resource empowerment to reduce complexity, streamline operations, and enhance cybersecurity resilience. If you need a more advanced security solution, MDR is the next step. MDR is an outsourced security control solution that includes the elements of EDR, enhanced with a range of fundamental security processes.
- Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium’s offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills.
Avertium's recommendations
To mitigate the vulnerability, CISA and the FBI recommend the following:
- Enforce MFA for all users, without exception. Before implementing, organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios.
- Implement time-out and lock-out features in response to repeated failed login attempts.
- Ensure inactive accounts are disabled uniformly across the Active Directory, MFA systems etc.
- Update software, including operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities, especially critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
- Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.
- Continuously monitor network logs for suspicious activity and unauthorized or unusual login attempts.
- Implement security alerting policies for all changes to security-enabled accounts/groups, and alert on suspicious process creation events (ntdsutil, rar, regedit, etc.).
Avertium encourages you follow cyber security best practices to keep your organization safe. CISA and the FBI recommend the following:
- Deploy Local Administrator Password Solution (LAPS), enforce Server Message Block (SMB) Signing, restrict Administrative privileges (local admin users, groups, etc.), and review sensitive materials on domain controller’s SYSVOL share.
- Enable increased logging policies, enforce PowerShell logging, and ensure antivirus/endpoint detection and response (EDR) are deployed to all endpoints and enabled.
- Routinely verify no unauthorized system modifications, such as additional accounts and Secure Shell (SSH) keys, have occurred to help detect a compromise. To detect these modifications, administrators can use file integrity monitoring software that alerts an administrator or blocks unauthorized changes on the system.
Network Best Practices
- Monitor remote access/ RDP logs and disable unused remote access/RDP ports.
- Deny atypical inbound activity from known anonymization services, to include commercial VPN services and The Onion Router (TOR).
- Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.
- Regularly audit administrative user accounts and configure access control under the concept of least privilege.
- Regularly audit logs to ensure new accounts are legitimate users.
- Scan networks for open and listening ports and mediate those that are unnecessary.
- Maintain historical network activity logs for at least 180 days, in case of a suspected compromise.
- Identify and create offline backups for critical assets.
- Implement network segmentation.
- Automatically update anti-virus and anti-malware solutions and conduct regular virus and malware scans.
Remote Work Environment Best Practices
- Regularly update VPNs, network infrastructure devices, and devices used for remote work environments with the latest software patches and security configurations.
- When possible, implement multi-factor authentication on all VPN connections. Physical security tokens are the most secure form of MFA, followed by authenticator applications. When MFA is unavailable, require employees engaging in remote work to use strong passwords.
- Monitor network traffic for unapproved and unexpected protocols.
- Reduce potential attack surfaces by discontinuing unused VPN servers that may be used as a point of entry for attackers.
User Awareness Best Practices
- Regularly update VPNs, network infrastructure devices, and devices used for remote work environments with the latest software patches and security configurations.
- When possible, implement multi-factor authentication on all VPN connections. Physical security tokens are the most secure form of MFA, followed by authenticator applications. When MFA is unavailable, require employees engaging in remote work to use strong passwords.
- Monitor network traffic for unapproved and unexpected protocols.
- Reduce potential attack surfaces by discontinuing unused VPN servers that may be used as a point of entry for attackers.
INDICATOR'S OF COMPROMISE (IOCS):
- 45.32.137[.]94
- 191.96.121[.]162
- 173.239.198[.]46
- 157.230.81[.]39
- ping.exe
- regedit.exe
- rar.exe
- ntdsutil.exe
- 127.0.0.1 api-<redacted>.duosecurity.com
Supporting documentation
How to Prevent Cyber Actors from Bypassing Two-Factor Authentication Implementation | Duo Security
Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability | CISA
Access Network Misconfigured with Default MFA Protocols by Russian State-Sponsored Cyber Actors (thetechoutlook.com)
Related Reading:
[New Malware]: CISA Warns of Renewed Russian Threat as New Activity is Seen in Ukraine
Contact us for more information about Avertium’s managed security service capabilities.