Network Security, Identity, Threat Management

Russian threat actors used PrintNightmare to gain access to NGO’s network

The FBI and Cybersecurity and Infrastructure Security Agency (CISA) detailed how Russian state-sponsored actors gained access to a non-governmental organization’s (NGO) network as a warning to others.

In the March 15 alert, CISA provided observed tactics and procedures, indicators of compromise, and recommendations to protect against Russian state-sponsored cyber activity. 

As early as May 2021, the Russian cyber actors gained access to the NGO’s network by guessing the password of an inactive account to enroll a new device in the organization’s Duo MFA. The actors exploited the PrintNightmare vulnerability, which caused havoc in 2021, to get domain administrator access and redirected DUO MFA to disable multi-factor authentication for active accounts to add even more accounts. The threat actors were then able to move laterally to cloud storage and email accounts.

The alert didn’t detail what data, if any, was exfiltrated, but the FBI and CISA recommended what organizations should do, in addition to reminding them to “remain cognizant of the threat of state-sponsored cyber actors exploiting default MFA protocols and exfiltrating sensitive information, including:

  • Enforce MFA for all users, without exception.
  • Implement time-out and lock-out features in response to repeated failed login attempts.
  • Ensure inactive accounts are disabled uniformly across the Active Directory, MFA systems etc.
Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.