Cybersecurity advisory

CISA, FBI Warn About Russia-Linked Hackers Exploiting MFA Settings, PrintNightmare

The Cybersecurity and Infrastructure Security Agency and the FBI have issued an alert about Russia-linked cyber actors who targeted a non-governmental organization.

In a joint advisory, the agencies said that the hackers accessed the NGO’s network by exploiting a flaw in default multi-factor authentication protocols.

The FBI observed the cyber actors exploiting MFA settings as early as May 2021, gaining access to cloud and email accounts for data exfiltration, CISA said.

According to CISA, the hackers first gained access through the NGO’s Cisco MFA software, using a brute-force attack to crack credentials and moving laterally through the organization’s network.

Using a compromised account, the cyber actors then exploited a known Windows Print Spooler vulnerability called “PrintNightmare” to obtain administrator privileges.

CISA said that the MFA protocol exploit is not exclusive to Cisco’s software and may be present in any MFA implementation.

The security agencies advised organizations to continue enforcing MFA for all users without exception, in addition to reviewing configuration policies.

CISA also urged organizations to implement time-out and lock-out features, uniformly disable inactive accounts, keep software up to date, ensure that account passwords are strong, continuously monitor networks for suspicious activity and implement security alerting policies.

Due to the rise in remote work, CISA advised organizations to adopt remote work environment best practices and implement security measures for virtual private network services.

Organizations should report any incident or anomalous activity to their local FBI field office or the bureau’s 24/7 CyWatch team.