Joint CyberSecurity Advisory Alert on "PrintNightmare” Vulnerability and Default MFA Protocols Exploited by Russian State-Sponsored Cyber Actors (AA22-074A)

Description

FortiGuard Labs is aware of a recent report issued by the U.S. Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) that Russian state-sponsored cyber actors have gained network access to a non-governmental organization (NGO) through exploitation of default Multi-Factor Authentication (MFA) protocols and the "PrintNightmare" vulnerability (CVE-2021-34527). The attack resulted in data exfiltration from cloud and email accounts of the target organization.


Why is this Significant?

This is significant because the advisory describes how a target organization was compromised by Russian state-sponsored cyber actors. The advisory also provides mitigations.


How did the Attack Occur?

The advisory provides the following attack sequence:


"Russian state-sponsored cyber actors gained initial access to the victim organization via compromised credentials and enrolling a new device in the organization's Duo MFA. The actors gained the credentials via brute-force password guessing attack, allowing them access to a victim account with a simple, predictable password. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo's default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.


Using the compromised account, Russian state-sponsored cyber actors performed privilege escalation via exploitation of the "PrintNightmare" vulnerability (CVE-2021-34527) to obtain administrator privileges. The actors also modified a domain controller file, c:\windows\system32\drivers\etc\ hosts, redirecting Duo MFA calls to localhost instead of the Duo server. This change prevented the MFA service from contacting its server to validate MFA login-this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to "Fail open" if the MFA server is unreachable. Note: "fail open" can happen to any MFA implementation and is not exclusive to Duo.


After effectively disabling MFA, Russian state-sponsored cyber actors were able to successfully authenticate to the victim's virtual private network (VPN) as non-administrator users and make Remote Desktop Protocol (RDP) connections to Windows domain controllers. The actors ran commands to obtain credentials for additional domain accounts; then using the method described in the previous paragraph, changed the MFA configuration file and bypassed MFA for these newly compromised accounts. The actors leveraged mostly internal Windows utilities already present within the victim network to perform this activity.


Using these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to move laterally to the victim's cloud storage and email accounts and access desired content."


What is the "PrintNightmare" vulnerability (CVE-2021-34527)?

The "PrintNightmare" vulnerability" was a critical vulnerability affecting Microsoft Windows Print Spooler. Microsoft released an out-of-bound advisory for the vulnerability on July 6th, 2021.


Has Microsoft Released a Patch for the "PrintNightmare" vulnerability (CVE-2021-34527)?

Yes, Microsoft released an out-of-bound patch for the "PrintNightmare" vulnerability in July, 2021.Due to its severity, Microsoft made the patches available for unsupported OS such as Windows 7 and Windows Server 2012.

Successful exploitation of the vulnerability allows an attack to run arbitrary code with SYSTEM privileges.


FortiGuard Labs released an Outbreak Alert and Threat Signal for PrintNightmare. See the Appendix for a link to "Fortinet Outbreak Alert: Microsoft PrintNightmare" and "#PrintNightmare Zero Day Remote Code Execution Vulnerability".


What is the Status of Coverage?

FortiGuard Labs has IPS coverage in place for the "PrintNightmare" vulnerability (CVE-2021-34527):

MS.Windows.Print.Spooler.AddPrinterDriver.Privilege.Escalation


All known network IOC's are blocked by the FortiGuard WebFiltering client.


Any Other Suggested Mitigation?

The advisory recommends the following mitigations:


  • Enforce MFA for all users, without exception. Before implementing, organizations should review configuration policies to protect against "fail open" and re-enrollment scenarios.
  • Implement time-out and lock-out features in response to repeated failed login attempts.
  • Ensure inactive accounts are disabled uniformly across the Active Directory, MFA systems etc.
  • Update software, including operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities, especially critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.
  • Continuously monitor network logs for suspicious activity and unauthorized or unusual login attempts.
  • Implement security alerting policies for all changes to security-enabled accounts/groups, and alert on suspicious process creation events (ntdsutil, rar, regedit, etc.).

description-logoOutbreak Alert

A remote code execution vulnerability exists in Windows OS when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Microsoft is encouraging customers to either "Disable the Print Spooler service" or "Disable inbound remote printing through Group Policy".

View the full Outbreak Alert Report