Russian state-sponsored cyberattackers gained network access to a non-governmental organization by exploiting default multi-factor authentication (MFA) protocols and PrintNightmare, a known security vulnerability in Windows Print Spooler.

As such, all organizations should take action to enable, enforce and properly configure MFA and prioritize patching of known exploited security vulnerabilities, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have warned.

Russian state-sponsored cyber actors initially gained access to the non-governmental organization via compromised credentials and enrolling a new device for MFA and accessing the victim’s network. To obtain administrator privileges, the cyberattackers then exploited PrintNightmare, allowing them to access cloud and email accounts for document exfiltration.

To take immediate action to protect against this type of cyberattack, organizations should take the following recommended security mitigations:

  1. Bud Broomhead, CEO at Viakoo: Patching printers and other Internet of Things (IoT) devices is the highest priority, especially given CISA and FBI focus on these being vulnerabilities currently being exploited. To ensure all printers are identified, a discovery solution should be used to have an up-to-date inventory of vulnerable devices. Automated IoT firmware patch solutions should be used to minimize the attack window. Manual methods for wide-spread devices (both in number and physical location) will take way too long given the urgency needed to patch printer devices. 
  2. Mike Parkin, Senior Technical Engineer at Vulcan Cyber: Industry best practices go a long way toward preventing the kind of attack seen here: Default configurations should be updated to a secure configuration. Systems should be configured to fail closed, rather than open. Unused accounts should be disabled. If they need to remain in service, default accounts should have their passwords changed from the initial default to something secure. Patches should be deployed as soon as practical. Access should be restricted to the minimum required levels, etc.
  3. Aaron Turner, Vice President, SaaS Posture at Vectra: Organizations should immediately disable all third-party identity providers from systems that host material identities and information. If that cannot be done for the general user population, it should be done for all privileged identities. Also, it is important to avoid the use of mobile authenticator apps for privileged identities. The race condition that mobile authenticators create is one that most security and mobile device management teams are not ready to handle because mobile device hygiene is so difficult. Using Yubikeys should be the de-facto standard for all privileged identities in cloud platforms.