AA22-074A Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default MFA and PrintNightmare
Indicators
This STIX file provides indicators of compromise (IOCs) associated with malicious activity reported in CISA Joint Cybersecurity Advisory, AA22-074A Russian State-Sponsored Cyber Actors Gain Network Access Through Exploitation of Default MFA and PrintNightmare.
SUMMARY
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability. As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network. The actors then exploited a critical Windows Print Spooler vulnerability, "PrintNightmare" (CVE-2021-34527) to run arbitrary code with system privileges. The actors were able to access Google cloud and email accounts for document exfiltration. While exploitation of CVE-2021-34527 could have occurred to any entity using default MFA protocols, the FBI is aware of at least one instance in which Russian state-sponsored cyber actors exploited the vulnerability by targeting an NGO using Cisco’s Duo MFA and gaining access to cloud and email accounts.
This advisory provides observed tactics, techniques, and procedures, indicators of compromise
(IOCs), and recommendations to protect against Russian state-sponsored malicious cyber activity.
FBI and CISA urge all organizations to apply the recommendations in the Mitigations section of this
advisory, including the following:
• Enforce MFA and review configuration policies to protect against "fail open" and re-enrollment scenarios.
• Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems.
• Patch all systems. Prioritize patching for known exploited vulnerabilities.
For more general information on Russian state-sponsored malicious cyber activity, see CISA's Russia Cyber Threat Overview and Advisories webpage. For more information on the threat of Russian state-sponsored malicious cyber actors to U.S. critical infrastructure as well as additional mitigation recommendations, see joint CSA Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure and CISA’s Shields Up Technical Guidance webpage.
//node() | //@*
DISCLAIMER: This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is distributed as TLP:WHITE: Disclosure is not limited. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.
2022-03-14T00:00:00Z
Malicious IPv4 Indicator
IP Watchlist
157.230.81.39
Malicious IPv4 Indicator
IP Watchlist
173.239.198.46
Malicious IPv4 Indicator
IP Watchlist
191.96.121.162
Malicious IPv4 Indicator
IP Watchlist
45.32.137.94
T1047 - Windows Management Instrumentation - Execution
T1059.001 - Command and Scripting Interpreter: PowerShell - Execution
T1068 - Exploitation for Privilege Escalation - Privilege Escalation
T1112 - Modify Registry - Defense Evasion
T1003 - OS Credential Dumping - Credential Access
T1003.003 - OS Credential Dumping: NTDS - Credential Access
T1110 - Brute Force - Credential Access
T1110.001 - Brute Force: Password Guessing - Credential Access
T1018 - Remote System Discovery - Discovery
T1082 - System Information Discovery - Discovery
T1083 - File and Directory Discovery - Discovery
T1560 - Archive Collected Data - Collection
T1560.001 - Archive Collected Data: Archive via Utility - Collection
T1071 - Standard Application Layer Protocol - Command and Control