CISA and FBI warning: Hackers used these tricks to dodge multi-factor authentication and steal email from NGO

Russian state-sponsored hackers have used a clever technique to disable multi-factor authentication (MFA) and exploit a Windows 10 printer spooler flaw to compromise networks and high-value domain accounts. The goal? Accessing the victim’s cloud and email.  

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about Russian state-sponsored activity that pre-dates recent warnings over cyber activity related to Russia’s military invasion of Ukraine. 

ZDNet Recommends

As early as May 2021, the hackers combined a default configuration issue in a Duo MFA setup at a non-government organization (NGO) with the critical Windows 10 PrintNightmare flaw CVE-2021-34481 to compromise it. 

SEE: There’s a critical shortage of women in cybersecurity, and we need to do something about it

Microsoft patched that elevation of privilege issue in August. Once inside a network, the flaw allowed an attacker to create new accounts on Windows 10 machines. 

In the NGO’s case, the use of a weak password allowed the attackers to use a password-guessing attack to gain the credentials for initial access. The attackers also used the fact that Duo’s default configuration setting allows the enrollment of a new device for dormant accounts.  

“Russian state-sponsored cyber actors gained initial access

Read More: