Russian state-sponsored cyberattacks: what you need to know about CISA Alert (AA22-074A)

On March 15, 2022, the Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert (AA22-074A) titled “Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and ‘PrintNightmare’ Vulnerability.”

What happened?

According to the alert, as early as May 2021, Russian state-sponsored cyber actors took advantage of an inactive account set to default MFA configuration at a non-governmental organization (NGO), gained credentials via brute-force guessing attack, and used the compromised account to enroll a new device for MFA and access the victim network. 

Once the attackers had the compromised credentials and enrolled in MFA, Russian state-sponsored cyber actors performed privilege escalation by using an existing critical Windows Print Spooler vulnerability, dubbed “PrintNightmare” (CVE-2021-34527), to run arbitrary code with system privileges and move laterally across the organization. “Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration,” according to alert AA22-074A.

A troubling trend of state-sponsored cyberattacks

At the beginning of the Russian invasion of Ukraine, Russian state-sponsored actors focused on Ukraine’s  government and critical infrastructure. In the last week, however, we’ve seen a growing trend of attacks on manufacturing. The two most notable examples include ransomware attacks on Bridgestone Americas and a suspected cyberattack on Japan-based Toyota plants the same day Japan joined western countries in restricting transactions with the Central Bank of the Russian Federation. Cyberattacks have become so common that CISA has implemented a “SHIELDS UP” advisory providing updates on how Russia’s ongoing actions are impacting organizations beyond the immediate warzone along with guidance for preventing cyberattacks.

Indication of compromise (IOC)

This latest Russian state-sponsored attack neither relied on previously unknown zero-day vulnerabilities nor particularly sophisticated means to infiltrate the NGO.

Once the account was compromised, the attackers executed various processes. They used  ping.exe to perform network discovery, and regedit.exe to edit the local Windows registry. Once they identified information of interest, they used rar.exe to archive it. They may have also used ntdsutli.exe to itemize Active Directory user accounts, and modified a Windows file called “hosts” to prevent further communication with the Duo MFA server. 

The CISA alert also identified the following device IP addresses used by the actors:

• 45.32.137[.]94
• 191.96.121[.]162
• 173.239.198[.]46
• 157.230.81[.]39

Mitigation efforts

Attackers have taken notice of critical infrastructure and industrial sectors due to a combination of unique challenges including:

• The critical nature of manufacturing processes
• Identifying, prioritizing, and patching potential security vulnerabilities like PrintNightmare

As part of the joint alert, the FBI and CISA urged organizations to be aware state-sponsored actors will continue to exploit default MFA protocols and unpatched vulnerabilities like PrintNightmare.They also outlined steps organizations should take to mitigate the risk of these cyberattacks, including:

• Enforce MFA for all users, without exception, and ensure it is properly configured to protect against “fail open” and re-enrollment scenarios
• Implement time-out and lock-out features
• Disable inactive accounts uniformly in active directory, MFA, etc.
• Update software, prioritizing patching known exploited vulnerabilities, especially critical and high vulnerabilities that allow for remote-code execution
• Monitor network logs continuously for suspicious activity
• Implement security alerting policies

Responding to a widening attack surface

State-sponsored attackers are looking at the entire landscape of assets (OT, IT, IoT, IoMT, and IIoT) and identifying the weakest points to infiltrate and move laterally across an organization. For organizations to respond effectively to the increasing attack surface cybercriminals and state-sponsored actors are exploiting, they need: 

• Comprehensive visibility into all assets with full confidence on asset data accuracy.
• A full understanding of asset context and typical behavior, including the following details:
  • What is the asset?
  • How critical is it to the organization?
  • Where is it physically located?
  • Who owns it?
• The ability to enforce appropriate security policies to protect assets and operations.
• The ability to reduce impact of security incidents by speeding up time to remediation. 

How Armis can help

1. Organizations need to first discover and classify every asset in their environment. The Armis Asset Intelligence Platform does this without relying on disruptive agents or scans. 
2. Once assets are discovered, organizations need to identify and prioritize cyber and operational risk. 

a) Armis customers can identify, prioritize, and take action on all of the assets currently vulnerable to PrintNightmare. The following query identifies all assets specifically vulnerable to CVE-2021-1675 and includes recommendations for remediation.

 in:devices vulnerabilities:(id:CVE-2021-1675)

b) By integrating Armis with Active Directory, organizations can also identify and create alerts on brute-force password attempts used to obtain credentials. Organizations can query active directory for any devices that have counted 10 bad password attempts.

in:devices dataSource:(name:"Active Directory") adBadPasswordCount:(10)

c) Organizations can also create automated policies to alert and/or take action using their existing infrastructure and tooling. The Armis Policy Library includes 100+ templates that an organization can add for vulnerabilities and exploit attempts like PrintNightmare. 

3. Teams rely on continuous threat detection with full asset context to speed up incident response times. Organizations can search, alert, and take action on all of their assets that have communicated with the IP addresses outlined in the CISA joint alert. Armis customers can use this query:

in:ipConnections endpointA:(address:45.32.137.94,191.96.121.162,173.239.198.46,157.230.81.39)

If you are not an Armis customer, we can still help. We offer a free Quick Asset Visibility Assessment using the Armis platform to help you find and identify assets vulnerable to PrintNightmare. Our platform works with your existing infrastructure to ensure you have a complete, real-time asset inventory you can rely on.

Given the current geopolitical situation and fast-evolving threat landscape, asset visibility has never been more important. Armis can help you start seeing more with less effort. 

Let an Armis expert help you get started in as little as 30 minutes.
Get an Armis Quick Visibility Assessment