The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released a joint alert pertaining to a technique leveraged by Russian state-sponsored hackers to disable multi-factor authentication and exploit a Windows 10 printer spooler flaw. The techniques were used by threat actors to compromise networks and high-value domain accounts, with the end goal of accessing the victim’s cloud and email. The alert comes after weeks of Russian state sponsored activity that occurred prior to and after Russia’s military invasion of Ukraine.
The techniques were deployed as early as May of last year, according to the FBI and CISA, and consisted of combining a default configuration issue in a Duo MFA setup at a non-government organization. The attackers paired this vulnerability with another flaw located in Windows 10 referred to as PrintNightmare. Microsoft was able to patch the issue that allowed an attacker to create new accounts last August. In this particular NGO’s case, the use of a weak password allowed the attackers to successfully guess the credentials for initial success.
Read More: Hackers used these tricks to dodge multi-factor authentication and steal email from NGO