Access Network Misconfigured with Default MFA Protocols by Russian State-Sponsored Cyber Actors

A joint Cybersecurity Advisory from CISA and the Federal Bureau of Investigation (FBI) explains how Russian state-sponsored cyber attackers gained access to a network using misconfigured default multifactor authentication (MFA) protocols. The actors then used “PrintNightmare” (CVE-2021-34527), a serious Windows Print Spooler vulnerability, to run arbitrary code with system privileges. The advise includes tactics, techniques, and processes that have been observed, as well as indicators of compromise and mitigations to protect against the danger.

AA22-074A: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and the “PrintNightmare” Vulnerability is recommended for users and admins. See cisa.gov/Russia for general information on Russian state-sponsored harmful cyber activities. See AA22-011A: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure and cisa.gov/shields-up for more information on the threat of Russian state-sponsored malicious cyber actors to U.S. critical infrastructure, as well as additional mitigation recommendations.