The FBI reveals that Russian state-sponsored hackers obtained access to a non-governmental organization (NGO) cloud by registering their own device in the organization’s Duo MFA system, which was exploited by incorrect default multifactor authentication (MFA) protocols. They gained access to the network by using credentials obtained through a brute-force password guessing attempt to access an un-enrolled and dormant account that had not yet been deactivated in the organization’s Active Directory.
“As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network,” the federal agencies clarified. “The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory.”
After altering a domain controller file, the next step was to stop the MFA service by routing all Duo MFA requests to localhost instead of the Duo server. This allowed them to log in to the NGO’s virtual private network (VPN) as non-administrator users, employ Remote Desktop Protocol (RDP) to access Windows domain controllers, and gain passwords for additional domain accounts.
Without MFA, Russian-backed threat actors might move laterally and get access to cloud storage and email accounts, as well as exfiltrate data, using these compromised accounts. In a piece of joint cybersecurity advice issued recently, the FBI and CISA recommended all enterprises to implement the following mitigating measures:
- Enforce MFA and evaluate configuration policies to avoid “fail open” and re-enrollment scenarios.
- Ensure that inactive accounts are deactivated consistently in the Active Directory and MFA systems.
- All systems should be patched. Patching known exploited vulnerabilities should be prioritized.
In the joint advisory, the two government agencies released further information on the tactics, methods, and procedures (TTPs), indications of compromise (IOCs), and advice for preventing hostile behavior. Previous joint alerts warned of Russian state hackers targeting and compromising US defense contractors working for the US Army, Air Force, Navy, Space Force, and Department of Defense and Intelligence programs.
Russian cyber groups such as APT29, APT28, and the Sandworm Team have also attacked vital infrastructure companies in the United States. The US government recently offered a $10 million prize for information on hostile operations orchestrated by state hackers targeting critical infrastructure networks in July 2021.