THE THREAT
In a joint report, the FBI and CISA have disclosed recent Russian state-sponsored APT activity. An unspecified Russian APT group was observed abusing misconfigured Multi-Factor Authentication (MFA) and the PrintNightmare vulnerability (CVE-2021-34527) in a recent attack against a Non-Government Organization (NGO). The attack resulted in the theft of sensitive data.
Organizations are strongly recommended to ensure that the use of MFA is enforced and reviewed for proper implementation. Additionally, all devices impacted by PrintNightmare need to be up to date on security patches in order to prevent abuse.
What we're doing about it
- Known attacker infrastructure has been blocked via eSentire’s global deny list
- Threat hunts have been performed for indicators associated with this campaign
- eSentire MDR for Endpoint and Log have detections in place to identify exploitation of PrintNightmare
- eSentire’s Managed Vulnerability Service (MVS) has plugins in place to identify the PrintNightmare vulnerability
- The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities
What you should do about it
- Deploy security patches for all devices vulnerability to CVE-2021-34527
- A Managed Vulnerability Services can assist in the identification of vulnerable devices
- Enforce the use of MFA for all employees
- Ensure that all non-active accounts are properly deactivated
- Enforce strong minimum password requirements to reduce the likelihood of successful bruteforce attacks
- In certain cases, vulnerable Horizon servers were not Internet-facing, but ultimately had exploit requests routed to them from external gateways.
- See the full report for additional recommendations and security best practices
Additional information
The recent campaign impacted a Non-Government Organization (NGO). In the attack, initial access was gained via a bruteforce attack. The compromised account was then used to enroll a new device in the company’s MFA platform. After persistent access was achieved, the threat actors exploited the PrintNightmare vulnerability to allow for lateral movement and the eventual theft of information.
CVE-2021-34527 was disclosed in July 2021. It is a Remote Code Execution vulnerability in the Windows Print Spooler service. Initial recommendations related to PrintNightware were to ensure that Internet-facing devices were patched. As widespread exploitation has been ongoing for months and exploits have been widely adopted by multiple threat actor groups, organizations need to ensure that all devices, including internal, are up to date on relevant patches.
References
[1] https://www.cisa.gov/uscert/ncas/alerts/aa22-074a
