March 22, 2022

Russian State-Sponsored Cyber Actors Exploit “PrintNightmare”

Industry: N/A | Level: Tactical | Source: CISA

A joint advisory was released by the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) identifying Russian state-sponsored actors compromising a non-governmental organization (NGO) in May 2021. The threat actors were able to abuse a default MFA configuration in Duo with a compromised account that was inactive but not disabled in Active Directory. A problematic flaw in Duo’s configuration is the “re-enrollment of a new device for dormant accounts,” which threat actors were able to take advantage of. Threat actors were able to run arbitrary code with system privileges by exploiting Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527). Another notable technique observed was, “the actors also modified a domain controller file, c:\windows\system32\drivers\etc\hosts, redirecting Duo MFA calls to localhost instead of the Duo server [T1556]. This change prevented the MFA service from contacting its server to validate MFA login—this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to ‘Fail open’ if the MFA server is unreachable.” Following, threat actors largely used internal windows tools to conduct reconnaissance, modify the registry, collect files, and steal credentials.

  • Anvilogic Use Cases:
    • Rare dll called by Spoolsv.exe
    • Suspicious Spool Authentication
    • Windows External Remote Login
    • Utility Archive Data
    • Locate Credentials
    • NTDSUtil.exe execution
    • Tunnel connection on local host