CISA: Fix MFA and Patch Promptly to Stop Russian Attackers

The US authorities have issued a new alert warning of Russian state-backed malicious activity involving exploiting a well-known bug in Windows Print Spooler discovered last year.

The US Cybersecurity and Infrastructure Security Agency (CISA) explained that Russian actors had been spotted exploiting the PrintNightmare bug (CVE-2021-34527) back in May 2021, targeting an unnamed NGO.

This was part of an attack chain that began when they exploited a misconfigured account set to default multi-factor authentication (MFA) protocols, allowing them to enroll a new device for MFA and access the victim’s network.

PrintNightmare then enabled the attackers to run arbitrary code with system privileges and subsequently access cloud and email accounts for document exfiltration.

The alert lists multiple mitigations that CISA urges all organizations to apply, including enforcing MFA and reviewing configuration policies to protect against “fail open” and re-enrollment scenarios.

It also asks organizations to make sure inactive accounts are disabled across Active Directory and MFA systems and that patches are prioritized for known exploited vulnerabilities.

“At CISA, we are great believers in MFA. It remains one of the most effective measures individuals and organizations can take to reduce their risk to malicious cyber activity. This advisory demonstrates the imperative that organizations configure MFA properly to maximize effectiveness,” said CISA director Jen Easterly.

“Now, more than ever, organizations must put their shields up to protect against cyber-intrusions, which means applying the mitigations in this advisory including enforcing MFA for all users without exception, patching known exploited vulnerabilities, and ensuring MFA is implemented securely.”

The PrintNightmare zero-day was first revealed accidentally by Chinese researchers in July 2021. It’s a remote code execution vulnerability that exists when the Windows Print Spooler service improperly performs privileged file operations, enabling attackers to run arbitrary with system privileges.

Leave a Reply