Russian threat actors leveraging misconfigured multifactor authentication to exploit PrintNightmare vulnerability

Threat Advisories

Russian threat actors leveraging misconfigured multifactor authentication to exploit PrintNightmare vulnerability


For a detailed advisory, download the pdf file here

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an alert for enterprises that Russian state-sponsored cyber attackers have obtained network access by exploiting default MFA protocols and a known vulnerability.

Russian state-sponsored cyber attackers got initial access to the target organization by using compromising credentials and registering a new device in the organization’s Duo multi-factor authentication (MFA). The actors obtained the credentials using a brute-force password guessing attack, which provided them with access to a victim account with a basic, predictable password. The victim account had been unenrolled from Duo after a long period of inactivity, but it had not been deactivated in Active Directory. The actors were able to enroll a new device for this account, satisfy the authentication requirements, and get access to the victim network since Duo’s default configuration settings allow for the re-enrollment of a new device for inactive accounts. Using the stolen account, Russian state-sponsored cyber attackers gained administrator rights by exploiting the “PrintNightmare” vulnerability (CVE-2021-34527). Furthermore, the cyber actors were able to obtain required material by moving laterally to the victim’s cloud storage and email accounts.

  • The organizations can apply the following mitigations:
  • To prevent against “fail open” and re-enrollment scenarios, enforce MFA and examine configuration restrictions.
  • Assure that inactive accounts are deactivated consistently across the Active Directory and MFA systems.
  • Ensure that inactive accounts are deactivated equally across Active Directory, MFA systems, and other systems.
  • Update software such as operating systems, apps, and hardware on a regular basis.

The Mitre TTPs used in the current attack are:
TA0001 – Initial Access
TA0003 – Persistence
TA0004 – Privilege Escalation
TA0005 – Defense Evasion
TA0006 – Credential Access
TA0007 – Discovery
TA0008 – Lateral Movement
TA0009 – Collection
T1078: Valid Accounts
T1133: External Remote Services
T1556: Modify Authentication Process
T1068: Exploitation for Privilege Escalation
T1112: Modify Registry
T1110.001: Brute Force: Password Guessing
T1003.003: OS Credential Dumping: NTDS
T1018: Remote System Discovery
T1560.001: Archive Collected Data: Archive via Utility

Vulnerability Details

Indicators of Compromise (IoCs)

Patch Link