As countries migrate towards a digital economy, cyber security becomes increasingly important. A recent warning by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are highly relevant in this regard.

Important cybersecurity practice

The FBI and CISA have released a joint Cybersecurity Advisory (CSA) to warn organizations that Russian state-sponsored cyber actors have accessed networks by utilizing default Multi Factor Authentication protocols. MFA is one of the most important cybersecurity practices to reduce the risk of intrusions. According to industry research, users who enable MFA are up to 99 percent less likely to have an account compromised.

CISA strongly recommends that all organizations enforce MFA. Their website states: "Every organization should enforce multi-factor authentication for all employees and customers, and every user should sign up for it when it is available". However, implementing MFA is not enough, according to CISA: “Organizations that implement MFA should review default configurations and modify as necessary, to reduce the likelihood that a sophisticated adversary can circumvent this control”.

Misconfigured account

Unfortunately this is exactly what happened on May 20, 2021, when state-sponsored Russian cyber actors took advantage of a non-government organization's misconfigured account set to default MFA protocols, allowing them to access the organization's networks. The attackers then exploited a critical Windows Print Spooler vulnerability known as PrintNightmare to run arbitrary code with system privileges. The attackers successfully exploited this vulnerability while targeting this NGO using Cisco's Duo MFA, enabling the exfiltration of documents from cloud and email accounts.

The CISA advisory describes observed tactics, techniques, and procedures, indicators of compromise (IOCs), and recommendations to protect against state-sponsored malicious cyber activity. In the Mitigations section of this advisory, the FBI and CISA urge all organizations to apply the following mitigation strategies: enforce multi-factor authentication and review configuration policies to protect against "fail open" scenarios; disable inactive accounts uniformly across the Active Directory and MFA systems; patch all systems; prioritize patching for known exploited vulnerabilities.

For more general information on Russian state-sponsored malicious cyber activity, see CISA's Russia Cyber Threat Overview and Advisories webpage.

Photo credit: Michael Parulava