The FBI says Russian state-backed hackers gained access to a non-governmental organization (NGO) cloud after enrolling their own device in the organization's Duo MFA following the exploitation of misconfigured default multifactor authentication (MFA) protocols.
To breach the network, they used credentials compromised in a brute-force password guessing attack to access an un-enrolled and inactive account, not yet disabled in the organization's Active Directory.
"As Duo's default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network," the federal agencies explained.
"The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory."
The next step was to disable the MFA service by redirecting all Duo MFA calls to localhost instead of the Duo server after modifying a domain controller file.
This allowed them to authenticate to the NGO's virtual private network (VPN) as non-administrator users, connect to Windows domain controllers via Remote Desktop Protocol (RDP), and obtain credentials for other domain accounts.
With the help of these compromised accounts and without MFA enforced, the Russian-backed threat actors could move laterally and gain access to the cloud storage and email accounts and exfiltrate data.
FBI and CISA urged all organizations today in a join cybersecurity advisory to apply the following mitigation measures:
- Enforce MFA and review configuration policies to protect against "fail open" and re-enrollment scenarios.
- Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems.
- Patch all systems. Prioritize patching for known exploited vulnerabilities.
"Every organization should enforce MFA for all employees and customers, and every user should sign up for MFA when available," CISA added.
"Organizations that implement MFA should review default configurations and modify as necessary, to reduce the likelihood that a sophisticated adversary can circumvent this control."
The two federal agencies shared additional information on the tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and recommendations to protect against this malicious activity in the joint advisory.
Previous joint advisories also warned of Russian state hackers targeting and compromising US defense contractors supporting the US Army, US Air Force, US Navy, US Space Force, and DoD and Intelligence programs.
Russian hacking groups, including APT29, APT28, and the Sandworm Team, have also targeted organizations from US critical infrastructure sectors.
In July 2021, the US government also announced a reward of up to $10 million for information on malicious activities coordinated by state hackers targeting critical infrastructure networks.
Sign up for the e-mail list to be informed about the developments in the cyber world and to be informed about the weekly newsletter.