© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Russian threat actors exploit MFA weakness

State-sponsored cybercriminals have found a loophole in Multifactor Authentication (MFA) systems and are using this to target companies, according to a report jointly released by the FBI and US cybersecurity watchdog CISA.

“Russian cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability,” said the report.

It is thought that Russian-backed threat actors exploited a misconfigured account set to default MFA protocols at a non-governmental organization (NGO) in May, allowing them to deploy a new device and access the victim’s network.

Cybercriminals then exploited a critical Windows Print Spooler vulnerability, known as “PrintNightmare” (CVE-2021-34527), to run code permitting them system access privileges.

“Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration,” said the report.

“The actors gained credentials via brute-force password guessing attack, allowing them access with a simple, predictable password. The victim account had been unenrolled from Duo due to a long period of inactivity, but was not disabled in the Active Directory.

“As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.”

The FBI and CISA are urging organizations to enforce MFA and review configuration policies to protect against “fail open” and re-enrollment scenarios. They have also called on them to patch all systems and ensure inactive accounts are disabled uniformly across active directories.

More from Cybernews:

Hacker breaches key Russian ministry in blink of an eye

Open database leaves major Chinese ports exposed to shipping chaos

Bot 'myths' expose firms to real losses

Owen Garrett, Deepfence: “no industry can afford to be complacent or ignore the risk of a cyberattack”

Bryan Champagne, Eclypses: "77% of financial applications have at least one serious vulnerability, according to Intertrust”

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked