Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA) – Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability (AA22-074A) – to warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default multifactor authentication (MFA) protocols and a known vulnerability. This cyber activity highlights ongoing capabilities and support of Russian state-sponsored cyber threat actors.

While multifactor authentication (MFA) is one of the best cybersecurity measures to protect against unauthorized account and network access, it is not without its vulnerabilities. As with any cybersecurity controls, organizations must carefully implement best practice guidance, as not all configurations are created equal.

Alert AA22-074A highlights the need for cybersecurity product/control configurations to be carefully reviewed before and after implementation and the importance of patching or otherwise mitigating known vulnerabilities in a timely fashion.

What’s important about Activity Alert AA22-074A?

• As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network.
• The actors then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527) to run arbitrary code with system privileges.
  • “PrintNightmare” (CVE-2021-34527) was included on the first publishing of CISA’s “Known Exploited Vulnerabilities Catalog” on November 3, 2021.
  • The “PrintNightmare” (CVE-2021-34527) vulnerability has had a patch available since July 2021.
• Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration.

Members are encouraged to review AA22-074A: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability for additional information on threat actor behaviors and mitigation recommendations.

A Note About CISA’s Known Exploited Vulnerabilities Catalog

CISA’s Known Exploited Vulnerabilities Catalog is a highly recommended resource to help all organizations prioritize patching and vulnerability mitigation. This catalog now contains 504 vulnerabilities known to be currently used by threat actors to exploit devices that remain unpatched. In addition, CISA includes remediation due dates which offer even more granularity in approaching and understanding the importance of patch prioritization and vulnerability mitigation. Members are encouraged to check the catalog and the regular updates for potentially impacted components in your environment. The importance of addressing known exploited vulnerabilities cannot be overstated and CISA has provided this great tool to help make this process less cumbersome.

Additional Resources

Members are encouraged to regularly review CISA’s Shields Up, Shields Up Technical Guidance, and Known Exploited Vulnerabilities Catalog for updates, and previously published WaterISAC and EPA webinars and advisories for cybersecurity measures and relevant resources to protect against Russian state-sponsored cyber activity. Likewise, visit Russia Cyber Threat Overview and Advisories for an overview of CISA's assessment of the Russian government’s malicious cyber activities.

Prior WaterISAC and EPA Advisories and Webinars

• U.S. EPA-WaterISAC Joint Notification on Protecting VSAT Networks and Communications
• U.S. EPA-WaterISAC Advisory on Potential Threat to Critical Infrastructure
• EPA-WaterISAC Webinar: Cybersecurity Recommendations in Consideration Russian State-Sponsored Cyber Operations Against U.S. Critical Infrastructure
• (TLP:AMBER) U.S. EPA-WaterISAC Advisory on Recommendations in Consideration of Russian Cyber Operations
• (TLP:WHITE) Joint Cybersecurity Advisory (AA22-011A) Issued to U.S. Critical Infrastructure for Understanding and Mitigating Russian State-Sponsored Cyber Threats

Incident Reporting
WaterISAC encourages all utilities that have experienced malicious or suspicious activity to email analyst@waterisac.org, call 866-H2O-ISAC, or use the confidential online incident reporting form. Reporting to WaterISAC helps utilities and stakeholders stay aware of the threat environment of the sector.