"Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and 'PrintNightmare' Vulnerability"
The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint cybersecurity advisory, highlighting technical details, mitigations, and resources regarding the ability of Russian state-sponsored actors to infiltrate networks via the exploitation of default Multi-Factor Authentication (MFA) protocols and a vulnerability in Windows Print Spooler called PrintNightmare. The Russian state-sponsored cyber actors used a misconfigured account set to default MFA protocols at a non-governmental organization, which allowed them to register a new device for MFA and access the target network. Then they exploited the critical PrintNightmare vulnerability to execute arbitrary code with system privileges and access cloud and email accounts for document exfiltration. The advisory provides noted tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and mitigation recommendations. All organizations are urged to apply recommended mitigations such as enforcing MFA for all users, implementing time-out and lock-out features, disabling inactive accounts, updating software, monitoring network logs, implementing security alerting policies, and more. This article continues to discuss the joint advisory pertaining to Russian state-sponsored cyber actors gaining network access through the exploitation of default MFA protocols and the PrintNightmare vulnerability.