Russian State-Sponsored Cyber Actors Exploit “PrintNightmare”
Industry: N/A | Level: Tactical | Source: CISA
A joint advisory was released by the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) identifying Russian state-sponsored actors compromising a non-governmental organization (NGO) in May 2021. The threat actors were able to abuse a default MFA configuration in Duo with a compromised account that was inactive but not disabled in Active Directory. A problematic flaw in Duo’s configuration is the “re-enrollment of a new device for dormant accounts,” which threat actors were able to take advantage of. Threat actors were able to run arbitrary code with system privileges by exploiting Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527). Another notable technique observed was, “the actors also modified a domain controller file, c:\windows\system32\drivers\
- Anvilogic Use Cases:
- Rare dll called by Spoolsv.exe
- Suspicious Spool Authentication
- Windows External Remote Login
- Utility Archive Data
- Locate Credentials
- NTDSUtil.exe execution
- Tunnel connection on local host