FBI and CISA Warns about Russian State-Sponsored Cyber Actors’ Exploitation of Vulnerability

Today, the FBI issued a warning titled “Mitigating Threats Posed by Russian State-Sponsored Cyber Actors’ Exploitation of Default Multifactor Authentication Protocol and “PrintNightmare” Vulnerability” encouraging all organizations to take enable, enforce, and properly configure MFA as well as prioritize patching of known exploited vulnerabilities. 

In other words, make sure your security department is doing its job.  Security 101 students know they should remove unnecessary open ports, keep up with patches, review configurations and eliminate poor or outdated configurations, remove default passwords, and review the insider threat.  Even the DHS warns about the insider threat – some 60-90% of organizations have experienced a security breach due to the inside threat.  The variance is mostly due to reporting:  Some organizations refuse to report breaches for obvious reasons

The FBI and Cybersecurity and Infrastructure Security Agency (CISA)  issued

a joint cybersecurity advisory today with technical details, mitigations, and resources regarding previously demonstrated ability of Russian state-sponsored cyber actors to gain network access through exploitation of default multifactor authentication (MFA) protocols and a known vulnerability in Windows Print Spooler, “PrintNightmare.”  The advisory, titled “Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and ‘PrintNightmare’ Vulnerability,” provides observed tactics, techniques, and procedures (TTPs); indicators of compromise (IOCs); and mitigation recommendations. The FBI and CISA urge all organizations to take immediate action to protect against this malicious activity and apply recommended mitigations such as:

As early as May 2021, the Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization, allowing them to enroll a new device for MFA and access the victim’s network. The actors then exploited a critical vulnerability “PrintNightmare” (CVE-2021-34527) to run arbitrary code with system privileges, and then were able to access cloud and email accounts for document exfiltration.

Specifically the advisory encourages users to Enforce MFA for all users, without exception, and ensure it is properly configured to protect against “fail open” and re-enrollment scenarios

Implement time-out and lock-out features

Disable inactive accounts uniformly in active directory, MFA, etc.

Update software, prioritizing known exploited vulnerabilities

Monitor network logs continuously for suspicious activity

Implement security alerting policies

CISA has updated the Shields Up webpage to include new services and resources, recommendations for corporate leaders and chief executive officers, and actions to protect critical assets. Additionally, CISA has created a new Shields Up Technical Guidance webpage that details other malicious cyber activity affecting Ukraine. The webpage includes technical resources from partners to assist organizations against these threats. 

To report a cyber incident, organizations should contact CISA at report@cisa.gov or call CISA’s 24/7 CISA Central Operations Center at (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.