The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are warning that state-backed hackers from Russia are using a tried and true approach to gain access to Windows systems. The centerpiece of it is the “PrintNightmare” bug that plagues nearly all installations of every version of Windows that has not been patched at this point. But the first step of the Russian hackers is to attack MFA configuration weaknesses, something that is often set up by default.
PrintNightmare print spool vulnerability combined with MFA vulnerabilities by Russian hackers
CISA warns that the root of the problem is in default MFA configuration policies that create a major opening for attackers that manage to obtain any kind of login credentials, even those with only the most basic level of access to a Windows system. The attackers can then leverage PrintNightmare for full control.
The main problem, and the one that CISA is advising organizations to immediately address, is stock MFA configuration policies that clear the road for invaders. MFA implementations often have a policy of “failing open,” or allowing a device to connect if the MFA authentication server cannot be reached. Another issue is “device re-enrollment,” which allows anyone with a valid login to immediately plug a new device into the MFA validation system.
In addition to addressing these MFA configuration issues, CISA is also advising immediate security patching. In particular, the patches issued by Microsoft for Windows that remove the PrintNightmare vulnerability. This highly-publicized vulnerability allows an attacker to gain privileged access to a system by way of an opening in the print management system found in just about every installation of Windows going back some 20 years.
The last of the key recommended mitigation measures is to go through the Windows Active Directory and the MFA system and disable accounts that are still present but are no longer being used. The most common approach for the Russian hackers is to brute force the credentials of old dormant accounts that are protected with weak passwords, exploit MFA configurations to add a new device, and then leverage PrintNightmare for the takeover.
These are the central mitigation measures for stopping this attack, but they are not the only ones available. Other recommended actions include requiring all users to log in with MFA, set security measures against brute force password guessing attacks, and set alerts for any changes made to security-enabled groups, accounts or processes. Companies with remote work policies in place should also be combing through VPN servers to disable those that are no longer used.
Poor MFA configuration policies can render authentication systems useless
CISA warns that there is no particular threat directly related to the current war in Ukraine, but that Russian hackers have been on the prowl with this approach and making use of PrintNightmare since mid-2021 and have a special focus on defense contractors and critical infrastructure companies.
Once inside systems, the attackers quietly exfiltrate confidential files and root through email accounts. CISA advises that the campaign was only detected due to the Russian hackers breaking into accounts that use “simple and predictable” passwords that were likely guessed with a basic dictionary file.