“The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) warned that Russia-linked threat actors have gained access to a non-governmental organization (NGO) cloud by exploiting misconfigured default multifactor authentication (MFA) protocols and enrolled their own device in the organization’s Cisco’s Duo MFA” (Security Affairs, 2022).
Using a combination of exploits in the default MFA protocol and the Window’s Print Spooler vulnerability called “PrintNightmare”, nation-state actors were able to gain access to networks.
“As early as May 2021, the attackers took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network. The exploitation of the PrintNightmare flaw allowed the attackers to run arbitrary code with system privileges. Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration. In order to compromise the target network, the attackers conducted a brute-force password guessing attack against an un-enrolled and inactive account. Contrary to best practices recommended, the account was still active in the organization’s Active Directory” (Security Affairs, 2022).
Duo has an issue where the victim account could be unenrolled by Duo after a long period of inactivity, but was still active in Active Directory. This allowed threat actors to reenroll a new device on dormant accounts. Additionally, the threat actors used PrintNightmare to further elevate privileges to gain admin access.
CVE-2021-34527: Windows Print Spooler Remote Code Execution Vulnerability CVSS: 8.8
“Once obtained admin privileges the attackers modified a domain controller file to redirect Duo MFA calls to localhost instead of the legitimate Duo server to prevent the MFA service from contacting its server to validate MFA login. This trick allowed the attackers to completely disable MFA for active domain accounts because the default policy of Duo for Windows is to “Fail open” if the MFA server is unreachable” (Security Affairs, 2022).
FBI and CISA shared indicators of compromise for the above attack and provided the following recommendations in the join advisory:
- Enforce MFA for all users, without exception. Before implementing, organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios.
- Implement time-out and lock-out features in response to repeated failed login attempts.
- Ensure inactive accounts are disabled uniformly across the Active Directory, MFA systems etc.
- Update software, including operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities, especially critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
- Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.
- Continuously monitor network logs for suspicious activity and unauthorized or unusual login attempts.
- Implement security alerting policies for all changes to security-enabled accounts/groups, and alert on suspicious process creation events (ntdsutil, rar, regedit).
On 15 March 2022, a U.S. government flash bulletin was published describing how state-sponsored cyber actors were able to leverage the PrintNightmare vulnerability ( CVE-2021-34527) in conjunction with specific Duo 2FA configuration settings to compromise an unpatched Windows machine and gain unauthorized administrative privileges into Windows machines.
While this scenario did not explicitly leverage or reveal a vulnerability in Duo’s software or infrastructure, it took advantage of specific default Duo enrollment settings to create a valid 2FA user account, after which PrintNightmare could potentially be invoked. The behavior and vector can be fully mitigated through modifications in Duo’s policies, and by applying a patch for PrintNightmare, which has been available since July 2021.
Duo recommends reviewing your specific configuration to ensure it meets your current business and security needs. Guidance is provided below in the Recommendations section of this message.
Cyber actors were able to obtain primary credentials (username and password) for users with simple passwords and no lockout policy within Duo accounts that did not have an enrolled MFA device and then enroll their own MFA device.
Once this had been completed, actors could successfully login to a 2FA-protected (and domain-joined) Windows machine and attempt to leverage the PrintNightmare vulnerability (CVE-2021-34527) if the machine was otherwise unpatched or vulnerable. If successful, the actor would be granted administrative privileges, potentially allowing the attacker to disable multifactor or otherwise gain access to the target’s systems.
While several conditions would need to be met for this to be actively exploited, the impact of the reported incident is potentially significant and achievable.
Duo’s New User Policy governs how to treat a user who does not exist in Duo or who exists in Duo but does not have an attached MFA device. The default New User Policy configuration when protecting a new application is to “Require enrollment in 2FA.” This method of self-enrollment is an industry-standard to provide ease-of-use for multifactor adoption among end-user populations.
The bulletin describes the following conditions for potential customer impact:
- An attacker has already compromised primary credentials (username and password) for a user who does not already exist in Duo (or who exists in Duo but has no attached device or phone number).
- A New User Policy is set to Require Enrollment in 2FA (the default setting).
- An attacker can complete inline enrollment from a separate Duo-protected web application.
- An attacker can use the newly-enrolled Duo account to gain access to the victim network using VPN.
- An attacker uses the PrintNightmare vulnerability (CVE-2021-34527) to elevate privileges and take control of a domain controller, disabling Duo Authentication for Windows Logon in the process to allow them to logon directly without 2FA.
- Note: A patch was released for the PrintNightmare vulnerability in July 2021.
To determine how you may have been impacted, please do the following:
- Log in to the Duo Admin Panel
- Navigate to Policies and review use of the “New User Policy” in your Global Policy as well as all Custom Policies. If “Require enrollment in 2FA” is enabled, review new device enrollments in the following steps.
- Navigate to Reports > Authentication Log
- Here, you can run a report looking up to 180 days back to review new device enrollments for any suspicious activity, including, but not limited to users and devices being located in different countries, or known users activating a new device that appear anomalous to expected behavior.
In addition, Duo encourages the adoption of strategies for retaining access to historical Authentication Logs beyond the 180 day limit. Customers can use a SIEM connector or the Admin API to automate continuous ingestion of their Authentication Logs into third-party systems. Customers may also choose to export Authentication Logs manually to CSV or JSON format from the Admin Panel UI to secure storage on a recurring basis.
Industry Best Practices:
- Require complex or strong primary user passwords.
- Configure password lockout policies to thwart brute-force password attacks.
- Ensure all your systems have up-to-date security patches.
- Utilize file integrity monitoring (set alerts on any modification of files on the Domain Controller and other critical servers).
- Limit self-enrollment to closely-monitored and secured applications.
- Change the New User Policy from the "Require enrollment” default setting to “Deny Access.” Follow this guide for changing the New User Policy setting.
- Adopt Zero Trust principles when securing access; manage remote access directly at the application level without opening wider VPN access to resources on your network. To learn more, refer to our documentation.
- Where possible, restrict application access to Trusted Endpoints. This can be configured on a per-application basis and the restriction applied only to high-risk applications.
- Consider setting Duo applications with configurable fail modes to “fail closed” or “fail secure” in the event that they cannot contact Duo’s service.
TruSTAR IoCs: https://station.trustar.co/constellation/reports/42a9f523-a7b0-4a46-9d19-12d8507c1573