Russian threat actors leveraging misconfigured multifactor authentication to exploit PrintNightmare vulnerability

Threat Level – Amber | Vulnerability Report
Download PDF


For a detailed advisory, download the pdf file here

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an alert for enterprises that Russian state-sponsored cyber attackers have obtained network access by exploiting default MFA protocols and a known vulnerability.

Russian state-sponsored cyber attackers got initial access to the target organization by using compromising credentials and registering a new device in the organization’s Duo multi-factor authentication (MFA). The actors obtained the credentials using a brute-force password guessing attack, which provided them with access to a victim account with a basic, predictable password. The victim account had been unenrolled from Duo after a long period of inactivity, but it had not been deactivated in Active Directory. The actors were able to enroll a new device for this account, satisfy the authentication requirements, and get access to the victim network since Duo’s default configuration settings allow for the re-enrollment of a new device for inactive accounts. Using the stolen account, Russian state-sponsored cyber attackers gained administrator rights by exploiting the “PrintNightmare” vulnerability (CVE-2021-34527). Furthermore, the cyber actors were able to obtain required material by moving laterally to the victim’s cloud storage and email accounts.

The organizations can apply the following mitigations:To prevent against “fail open” and re-enrollment scenarios, enforce MFA and examine configuration restrictions.Assure that inactive accounts are deactivated consistently across the Active Directory and MFA systems.Ensure that inactive accounts are deactivated equally across Active Directory, MFA systems, and other systems.Update software such as operating systems, apps, and hardware on a regular basis.

The Mitre TTPs used in the current attack are:TA0001 – Initial AccessTA0003 – PersistenceTA0004 – Privilege EscalationTA0005 – Defense EvasionTA0006 – Credential AccessTA0007 – DiscoveryTA0008 – Lateral MovementTA0009 – CollectionT1078: Valid AccountsT1133: External Remote ServicesT1556: Modify Authentication ProcessT1068: Exploitation for Privilege EscalationT1112: Modify RegistryT1110.001: Brute Force: Password GuessingT1003.003: OS Credential Dumping: NTDST1018: Remote System DiscoveryT1560.001: Archive Collected Data: Archive via Utility

Vulnerability Details

Indicators of Compromise (IoCs)

Patch Link


What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox