Russian State-Sponsored Cyber Actors Exploit Unpatched Vulnerabilities and Poor Deprovisioning Hygiene

MARCH 16, 2022 23:15 GMT

Heightened awareness of Russian cyberattacks stemming from the war in Ukraine is necessitating a closer look at preventable attack chains that leverage exploits for common, unpatched vulnerabilities combined with poor user account deprovisioning practices.

CISA has issued a joint cybersecurity advisory detailing one such attack that seems obvious and highly preventable but provides good evidence that the attack chain is effective and could be used during tensions between Russia and NATO.

We advise administrators to ensure the “PrintNightmare” and any other known vulnerabilities are patched in affected systems and to audit handling of expired accounts and excessive login attempts. See below for recommendations and best practices.

What’s the nature of this activity?

According to CISA: “as early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a [unspecified] non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network. The actors then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527) to run arbitrary code with system privileges. Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration.”

CISA’s advisory provides references to the detailed tactics and techniques as catalogued by the MITRE ATT&CK framework.

Technical details

This attack is particularly well-documented such that it makes all the components of the attack chain seem like a simple Lego assembly manual. The sequence of this studied attack is:

1. Gained initial access to the victim organization via compromised credentials (brute forced password)
2. Enrolled a device in the organization’s Duo MFA. The victim account had been unenrolled from Duo due to a long period of inactivity but was not disabled in Active Directory.
3. Using the compromised account, actors performed privilege escalation via exploitation of the “PrintNightmare” vulnerability to gain admin
4. Modified a domain controller file, c:\windows\system32\drivers\etc\hosts, redirecting Duo MFA calls to localhost instead of the Duo server. This caused MFA to “fail open,” effectively disabling it. This is a common default behavior not limited to Duo.
5. Authenticated to the victim VPN as non-administrator users and made RDP connections to Windows domain controllers where they ran commands to obtain credentials for additional domain accounts.
6. Moved laterally to the victim’s cloud storage and email accounts to access desired content.

IOCs

These common native Windows executables were used. Since their presence is legitimate for many use cases, accurate use as indicators will require correlation with other IOCs of malicious activity.

• ping.exe – A core Windows process used to probe network connectivity to a remote host and for network discovery
• regedit.exe – Windows built-in registry editor
• rar.exe – Compression, encryption, and archiving tool
• ntdsutil.exe – A command-line tool for Active Directory Domain Services. Lilkely used to enumerate Active Directory user accounts

IP addresses associated with this activity:

• 45.32.137[.]94
• 191.96.121[.]162
• 173.239.198[.]46
• 157.230.81[.]39 

As in #4 in the above Technical Details section, c:\windows\system32\drivers\etc\hosts was modified to prevent communication with the Duo MFA server:

• 127.0.0.1 api-<redacted>.duosecurity.com 

How can I protect against this type of attack?

Luckily, this type of activity is pretty cut and dried, from the initial vectors and entry point to the behavior observed once the threat actors gained access. The mitigation to protect against this exact attack and others of a similar design are fairly simple and fall under common cybersecurity best practices. See the CISA advisory under the Mitigation section for additional details:

1. Enforce MFA for all users, without exception. Review configuration policies to protect against “fail open” and re-enrollment scenarios.
2. Implement timeout and lockout features in response to repeated failed login attempts.
3. Ensure inactive accounts are disabled uniformly across the Active Directory, MFA systems etc.
4. Update all software and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities, especially critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
5. Require all accounts with password logins to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.
6. Continuously monitor network logs for suspicious activity and unauthorized or unusual login attempts.
7. Implement security alerting policies for all changes to security-enabled accounts/groups, and alert on suspicious process creation events (ntdsutil, rar, regedit, etc.).

Resources

• “CISA and FBI warning: Hackers used these tricks to dodge multi-factor authentication and steal email from NGO”
  https://www.zdnet.com/article/cisa-and-fbi-warning-hackers-used-these-tricks-to-dodge-multi-factor-authentication-and-steal-email/
  
• “Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and ‘PrintNightmare’ Vulnerability”
  https://www.cisa.gov/uscert/ncas/alerts/aa22-074a
  
• “FBI warns of MFA flaw used by state hackers for lateral movement”
  https://www.bleepingcomputer.com/news/security/fbi-warns-of-mfa-flaw-used-by-state-hackers-for-lateral-movement/