Friday, March 29, 2024

FBI Warns that Hackers Gain Network Access by Exploiting MFA and “PrintNightmare” Vulnerability

The CSA and FBI have collaboratively conducted various types of analysis over hacking activity. There have been speculations on Russian State-Sponsored threat actors and their targets over Ukraine and other parts of the world.

Recently, they have exploited an NGO that was using Cisco’s Duo MFA which had enabled access to cloud and email accounts for stealing documents.

The FBI has also listed the steps to mitigate, Techniques, tactics and Procedures, Indicators of Compromise that can be used to protect against Russian State-Sponsored Hackers.

How did they exploit it?

In early May 2021, the FBI noted that the Russian State-Sponsored hackers were targeting an NGO and exploited a flaw in that system relating to MFA and to move inside the network.

The Hackers initially gained access to the network via compromised credentials. Later, they enrolled in a new device for the compromised account. Hackers were using Brute force techniques to extract credentials of an account. Accounts with very simple and predictable passwords were compromised. 

Due to long inactivity on the compromised account, MFA is disabled and especially the accounts were not removed from the active directory. Hackers leveraged these accounts and took over them. 

For privilege escalation, they used a known vulnerability called “PrintNightmare” and gained access to the system.

After escalating privileges, they managed to change the C:\windows\system32\drivers\etc\hosts file to modify MFA. They redirected the hosts’ file and changed the Duo Server IP to localhost.

This prevented the validation of devices associated with the accounts. Another interesting thing is, Duo has a default value as “Fail Open”. This has disabled MFA authentication for the device while connecting to VPN. 

Once they got access to the Virtual Private Network, they used Remote Desktop Protocol to connect to Windows Domain Controller. They used these accounts to move laterally around the organisation. 

Indicators of Compromise

The following processes might indicate that the systems can be compromised.

  • ping[.]exe
  • regedit[.]exe
  • rar[.]exe
  • ntdsutil[.]exe

Hosts file modifications include 

127.0.0.1 api-<redacted>.duosecurity[.]com 

The following IP addresses were identified that were used by the threat actors.

  • 45.32.137[.]94
  • 191.96.121[.]162
  • 173.239.198[.]46
  • 157.230.81[.]39 

Mitigations

The FBI has posted the complete steps to mitigate and check for compromised accounts. Some of them are 

  • Enabling MFA to all the users as soon as possible
  • Configure new policies for “fail open”
  • Ensure to remove all the accounts that are presumed deactivated.
  • Update all the software and patches
  • Monitor for suspicious log 
  • Not letting employees use the same login credentials to many accounts.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles