The FBI and Cybersecurity and Infrastructure Security Agency issued a joint advisory March 15 that Russian state-sponsored cyber actors gained network access through exploitation of default multifactor authentication protocols and a known vulnerability in Windows Print Spooler.
The cyber actors took advantage of a misconfigured account set to default multifactor authentication protocols at a nongovernmental organization as early as May 2021. This allowed them to enroll a new device for multifactor authentication and access the victim's network. They then exploited the PrintNightmare critical vulnerability. This allowed them to run arbitrary code with system privileges and access cloud and email accounts for document exfiltration.
The joint advisory includes indicators of compromise and mitigations. It also includes network, remote work, security and user awareness best practices.
Recommended mitigations include:
1. Enforcing multifactor authentication and reviewing configuration policies to protect against "fail open" and re-enrollment scenarios.
2. Ensuring inactive accounts are disabled uniformly across the active directory and multifactor authentication systems.
3. Patch all systems and prioritize patching for known exploited vulnerabilities.