If you purchase via links on our site, we may receive affiliate commissions.

Russian threat actors exploit MFA weakness

Senior Journalist

Updated on: 16 March 2022

Laptop, mobile phone and user in desktop demonstration of multifactor authentication

State-sponsored cybercriminals have found a loophole in Multifactor Authentication (MFA) systems and are using this to target companies, according to a report jointly released by the FBI and US cybersecurity watchdog CISA.

“Russian cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability,” said the report.

It is thought that Russian-backed threat actors exploited a misconfigured account set to default MFA protocols at a non-governmental organization (NGO) in May, allowing them to deploy a new device and access the victim’s network.

Cybercriminals then exploited a critical Windows Print Spooler vulnerability, known as “PrintNightmare” (CVE-2021-34527), to run code permitting them system access privileges.

“Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration,” said the report.

“The actors gained credentials via brute-force password guessing attack, allowing them access with a simple, predictable password. The victim account had been unenrolled from Duo due to a long period of inactivity, but was not disabled in the Active Directory.

“As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.”

The FBI and CISA are urging organizations to enforce MFA and review configuration policies to protect against “fail open” and re-enrollment scenarios. They have also called on them to patch all systems and ensure inactive accounts are disabled uniformly across active directories.