Specialists of the Federal Bureau of Investigation reported on Russian hackers who in May 2021 gained access to the cloud of a non-governmental organization by registering their device in Duo MFA. Cybercriminals managed to achieve this by using incorrectly configured multi-factor authentication (MFA) protocols by default.
In addition, hackers exploited a critical vulnerability in the Windows PrintNightmare Print Queue Manager (CVE-2021-34527) to run arbitrary code with system privileges.
Hackers used credentials compromised as a result of a password-matching attack to access an unregistered and inactive account that was not disabled in the organization’s Active Directory at that time.
“Since Duo’s default configuration settings allow for re-registering a new device for inactive accounts, attackers were able to fulfill authentication requirements and gain access to the victim’s network. The account was removed from Duo due to a long period of inactivity, but was not disabled in Active Directory,” the FBI said in a statement.
The next step was to disable the MFA service by redirecting all Duo MFA calls to the local system instead of the Duo server after changing the domain controller file. This allowed the attackers to authenticate in a virtual private network (VPN) NGO as non-administrator users, connect to Windows Domain controllers via Remote Desktop Protocol (RDP) and get credentials for other domain accounts.
Compromised accounts and bypassing the MFA allowed cybercriminals to navigate the victim’s network, gain access to cloud storage and email accounts, and steal data.
The FBI and CISA, in a joint recommendation on cybersecurity, called on organizations to apply the following protective measures:
Implement MFA and review configuration policies to protect against “failed opening” and re-registration scenarios.
Ensure the same deactivation of inactive accounts in Active Directory and MFA systems.
Patch all systems. Prioritize the installation of patches for known exploitable vulnerabilities.