On March 15, 2022, the Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert (AA22-074A) titled “Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and ‘PrintNightmare’ Vulnerability.”
According to the alert, as early as May 2021, Russian state-sponsored cyber actors took advantage of an inactive account set to default MFA configuration at a non-governmental organization (NGO), gained credentials via brute-force guessing attack, and used the compromised account to enroll a new device for MFA and access the victim network.
Once the attackers had the compromised credentials and enrolled in MFA, Russian state-sponsored cyber actors performed privilege escalation by using an existing critical Windows Print Spooler vulnerability, dubbed “PrintNightmare” (CVE-2021-34527), to run arbitrary code with system privileges and move laterally across the organization. “Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration,” according to alert AA22-074A.
At the beginning of the Russian invasion of Ukraine, Russian state-sponsored actors focused on Ukraine’s government and critical infrastructure. In the last week, however, we’ve seen a growing trend of attacks on manufacturing. The two most notable examples include ransomware attacks on Bridgestone Americas and a suspected cyberattack on Japan-based Toyota plants the same day Japan joined western countries in restricting transactions with the Central Bank of the Russian Federation. Cyberattacks have become so common that CISA has implemented a “SHIELDS UP” advisory providing updates on how Russia’s ongoing actions are impacting organizations beyond the immediate warzone along with guidance for preventing cyberattacks.
This latest Russian state-sponsored attack neither relied on previously unknown zero-day vulnerabilities nor particularly sophisticated means to infiltrate the NGO.
Once the account was compromised, the attackers executed various processes. They used ping.exe to perform network discovery, and regedit.exe to edit the local Windows registry. Once they identified information of interest, they used rar.exe to archive it. They may have also used ntdsutli.exe to itemize Active Directory user accounts, and modified a Windows file called “hosts” to prevent further communication with the Duo MFA server.
The CISA alert also identified the following device IP addresses used by the actors:
Attackers have taken notice of critical infrastructure and industrial sectors due to a combination of unique challenges including:
As part of the joint alert, the FBI and CISA urged organizations to be aware state-sponsored actors will continue to exploit default MFA protocols and unpatched vulnerabilities like PrintNightmare.They also outlined steps organizations should take to mitigate the risk of these cyberattacks, including:
State-sponsored attackers are looking at the entire landscape of assets (OT, IT, IoT, IoMT, and IIoT) and identifying the weakest points to infiltrate and move laterally across an organization. For organizations to respond effectively to the increasing attack surface cybercriminals and state-sponsored actors are exploiting, they need:
a) Armis customers can identify, prioritize, and take action on all of the assets currently vulnerable to PrintNightmare. The following query identifies all assets specifically vulnerable to CVE-2021-1675 and includes recommendations for remediation.
in:devices vulnerabilities:(id:CVE-2021-1675)
b) By integrating Armis with Active Directory, organizations can also identify and create alerts on brute-force password attempts used to obtain credentials. Organizations can query active directory for any devices that have counted 10 bad password attempts.
in:devices dataSource:(name:"Active Directory") adBadPasswordCount:(10)
c) Organizations can also create automated policies to alert and/or take action using their existing infrastructure and tooling. The Armis Policy Library includes 100+ templates that an organization can add for vulnerabilities and exploit attempts like PrintNightmare.
3. Teams rely on continuous threat detection with full asset context to speed up incident response times. Organizations can search, alert, and take action on all of their assets that have communicated with the IP addresses outlined in the CISA joint alert. Armis customers can use this query:
in:ipConnections endpointA:(address:45.32.137.94,191.96.121.162,173.239.198.46,157.230.81.39)
If you are not an Armis customer, we can still help. We offer a free Quick Asset Visibility Assessment using the Armis platform to help you find and identify assets vulnerable to PrintNightmare. Our platform works with your existing infrastructure to ensure you have a complete, real-time asset inventory you can rely on.
Given the current geopolitical situation and fast-evolving threat landscape, asset visibility has never been more important. Armis can help you start seeing more with less effort.
Let an Armis expert help you get started in as little as 30 minutes.
Get an Armis Quick Visibility Assessment
Sign up to receive the latest news