The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint Cybersecurity Advisory (CSA) to warn organizations that Russian state-sponsored threat actors have gained network access through exploitation of default Multi Factor Authentication (MFA) protocols using a known vulnerability.
As early as May 2021, Russian state-sponsored threat actors took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization, allowing them to enroll a new device for MFA and access the victim network. The threat actors then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527) to run arbitrary code with system privileges. Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting a non-governmental organization using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration.
The joint advisory provides observed tactics, techniques, and procedures, indicators of compromise (IOCs), and recommendations to protect against Russian state-sponsored malicious cyber activity. In the joint advisory FBI and CISA urge all organizations to apply the recommendations in the Mitigations section of this advisory, including the following:
- Enforce MFA and review configuration policies to protect against “fail open” and re-enrollment scenarios.
- Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems.
- Patch all systems. Prioritize patching for known exploited vulnerabilities.
For more general information on Russian state-sponsored malicious cyber activity, see CISA’s Russia Cyber Threat Overview and Advisories webpage. For more information on the threat of Russian state-sponsored malicious cyber actors to U.S. critical infrastructure as well as additional mitigation recommendations, see joint CSA Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure and CISA’s Shields Up Technical Guidance webpage.
Click here for a PDF version of this joint advisory report. For a downloadable copy of IOCs, see AA22-074A.stix.
DNS is frequently used to facilitate attacker techniques
DNS is frequently used in support of attacker techniques. Infoblox BloxOne Threat Defense enables security operations teams to leverage DNS to get visibility into malicious activity so that cyberattacks can be detected and shut down early in the kill chain of events. BloxOne Threat Defense integrates with Security Orchestration Automation and Remediation (SOAR) systems, ITSM solutions, vulnerability scanners and other security ecosystem tools to trigger remediation actions automatically when any malicious activity is detected.
Command & control often uses DNS as a covert communication channel. Attackers may use IP addresses that are already known and can be identified by threat intelligence. More and more frequently cyber attackers spin up new domains just a few hours before an attack. In this scenario the behavior of DNS queries can provide the data that organizations need to identify and stop the attack. Technologies like machine learning and analytics give BloxOne Threat Defense the edge in identifying and stopping these types of threats. This helps speed up an organization’s response to security events and provides rapid threat containment.
To find out more about our programs and products please reach out to us via https://info.infoblox.com/contact-sales.html.
| Shields Up | CISA
Every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety. Over the past year, cyber incidents have impacted many companies, non-profits, and other organizations, large and small, across multiple sectors of the economy. www.cisa.gov |
