Russian cyber attacks continue to deploy vulnerabilities in several networks.
This time, the state-sponsored hackers were exploiting a "PrintNightmare" vulnerability on top of launching attacks to a non-governmental organization through the multifactor authentication (MFA) defaults.
The US further warned that this incident could allow the threat actors to access the cloud and email accounts of the NGO. Later, they would transition to targeting other documents within the network.
FBI, CISA Warns of the Latest Russia-Linked Attack
According to a report by Venturebeat, Vulcan Cyber senior technical engineer Mike Parkin said that the latest case of the attack exemplifies the importance of user account hygiene.
The cybersecurity expert added that implementing security patches should be practically done, as well. Having said that, Parkin wrote in an email that this breach appeared to be targeting a vulnerable account and the "exploitable" vulnerability.
Per CISA and FBI's joint advisory issued on Tuesday, March 15, the Russian hackers relied on executing "PrintNightmare," a known vulnerability that previously hit Microsoft.
To avoid further attacks, the tech giant decided to release consecutive patches for its servers. It appears that it's not the only vulnerability that the state-sponsored attackers released since they also exploited the default MFA protocols.
According to the recent alert by the US agencies, the attack could be traced back in May 2021. However, there's no mention of the particular location of the NGO involved in the data breach.
Related Article: Kaspersky Antivirus Software as Russian Cyberattack Exploiter? Germany Suggests Replacing It
Russian Hackers Use Weak Passwords
In the same report from Venturebeat, the announcement from the CISA and FBI also tackled the "password guessing" of the Russian hackers. This way is deemed effective for the threat actors since the codes are pretty simple to predict.
The advisory wrote that to gain access to NGO's network, the cybercriminals relied on the Duo MFA Solution of Cisco.
"The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory," the FBI and CISA said.
To even intensify the attacks, the hackers mixed them up with "PrintNightmare" so they could disable MFA, as well as alter the domain controller file of the admin.
From this incident, it appears that increased protection to MFA should be implemented since over the past years, the Russian hackers were able to exploit them with ease.
Vectra VP Aaron Turner said that those organizations which rely on "check the box" compliance solutions for MFA could see an escalating trend in vulnerability exploitation.
Another tech boss Bud Broomhead, who is the current Viakoo CEO said that he anticipates this attack vector to appear more often.
In other news, Tech Times reported that the CaddyWiper malware recently hit Ukrainian organizations. This new type of wiper malware does not rely on stealing financial assets from the victims, but instead disrupts the files and erases them eventually.
This article is owned by Tech Times
Written by Joseph Henry