News

Misconfigured Multifactor Authentication Subject to Russian Attackers

• By Kurt Mackie
• 03/15/2022

Organizations should not only use multifactor authentication (MFA), but they should also ensure that it's not misconfigured to ward off possible Russian state-sponsored attacks.

That notion was broadcast on Tuesday (here and here) by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Federal Bureau of Investigation (FBI). The agencies advised organizations to read CISA Alert AA22-074A, which described an incident dating back to May of 2021.

The information in Alert AA22-074A is apparently newly published on March 15, 2022. The lack of disclosure for almost a year wasn't explained.

MFA Misconfiguration
Alert AA22-074A describes how an alleged Russian-state attacker back in May leveraged Cisco's Duo MFA and a "misconfigured" account setting associated with "default MFA protocols" to gain a network footing and exfiltrate cloud-based e-mail services.

The attackers also used the infamous "PrintNightmare" Windows print spooler vulnerabilities as part of the attack, using them to "run arbitrary code with system privileges."

The misconfiguration issue described by CISA doesn't seem like it's a misconfiguration, but rather a problem that existed between Cisco's Duo MFA and Active Directory. The attackers first gained initial network access via brute-force guessing of an old unused user account, CISA explained:

The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo's default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.

In other words, Cisco Duo's default configuration didn't block dormant account reenrollments. Not blocking dormant accounts may be a poor security practice, but it likely can't really be said to be misconfigured if it was the default software setting.

The attackers next used the PrintNightmare vulnerability to escalate the compromised account to having administrator privileges. They were able to bypass MFA logins by "redirecting Duo MFA calls to localhost instead of the Duo server," CISA explained.

Duo MFA had a default "fail open" policy when the MFA server couldn't be reached that facilitated these attacks. However, CISA noted that "'fail open' can happen to any MFA implementation and is not exclusive to Duo."

Steps To Take
CISA and the FBI offered a short list and a long list (as found in Alert AA22-074A) of the security steps to take to thwart Russian-state attackers. Here's the short list:

• Enforce MFA for all users, without exception, and ensure it is properly configured to protect against "fail open" and re-enrollment scenarios
• Implement time-out and lock-out features
• Disable inactive accounts uniformly in active directory, MFA, etc.
• Update software, prioritizing known exploited vulnerabilities
• Monitor network logs continuously for suspicious activity
• Implement security alerting policies

The agencies recommended that "all organizations" should take "immediate action to protect against this malicious activity."

The warning is based on an old attack, but it comes in the context of the current ongoing Russian invasion and war on the Ukraine. CISA has a whole "Shields Up Technical Guidance" page that's devoted to the attacks associated with this war, which includes descriptions of the various wiper malware that's been deployed.

It also published Alert AA22-011A, updated on March 1, which lists the known software vulnerabilities currently getting exploited by Russian-state attackers.

CISA also announced on Tuesday that it has updated its "Known Exploited Vulnerabilities Catalog," adding 15 new software flaws. Most of them are previously disclosed Windows flaws from 2019.