Many companies and organizations have moved to multi-factor authentication (MFA) as a key way to enhance their cybersecurity.
But a recent FBI and CISA (Cybersecurity and Infrastructure Security Agency) alert highlights the fact that, while MFA is considered a cybersecurity best practice, it can be defeated by determined hackers, especially when poor implementation coincides with an as-yet-unpatched software vulnerability.
Anatomy of an Attack
The CISA alert covers an attack perpetrated by Russian state-sponsored cyber attackers on a non-governmental organization (NGO). The attack began in May 2021, but wasn’t detected until much later.
The attack unfolded as follows:
- The attackers gained initial access with a successful brute-force attack on a long-dormant account that had a simple, predictable password.
- MFA was installed, but a poor configuration choice on the part of the NGO, combined with negligence regarding unused accounts, rendered it toothless: Since the account was inactive, it had been unenrolled from MFA. But it had not been disabled in the organization’s Active Directory. The MFA program was configured to allow dormant accounts to re-enroll with a new device, which allowed the hackers to enroll their own device with the dormant account, authenticate, and gain access to the network.
- Once in the network, the attackers used the “PrintNightmare” vulnerability (CVE-2021-34527) to perform privilege escalation and get administrator privileges on the network.
- The attackers modified a domain controller file, redirecting MFA calls to localhost instead of the MFA server. The MFA program couldn’t contact its server to validate the login. In another even worse configuration choice, the NGO had configured their MFA to “fail open,” effectively disabling it for all accounts.
- The attackers then authenticated to the NGO’s virtual private network (VPN) and made Remote Desktop Protocol (RDP) connections to Windows domain controllers.
- This access was used steal credentials to additional accounts.
- The same technique described above was used to disable MFA for the additional accounts.
- Using these compromised accounts with MFA disabled, the attackers were able to move laterally to the victim’s email and cloud storage accounts and access the information they were targeting.
How the Attack Could Have Been Prevented
The attack could have been stopped in several different ways — some policy related and others technical.
Policy changes that could have stopped the attack include:
- Configuring MFA to be more secure – not using “fail open” and requiring a known device for re-enrollment.
- Make sure inactive accounts are simultaneously disabled in both MFA and Active Directory.
- Promptly patch all software
Any one of these steps could have stopped the attack (assuming the threat actors didn’t gain access to privilege escalation until after the patch was issued by Microsoft in July).
ZTEdge, the Ericom Zero Trust SASE platform, includes several capabilities that could have blocked this attack as it occurred, even without the above policies being implemented.
- The Intrusion Prevention System (IPS) can detect and block brute-force attacks, such as the one used to gain the initial access.
- Zero Trust Network Access would have stopped the lateral movement to other machines, limiting the “blast radius” to the one compromised machine.
- The attack also could not have occurred if the user was required to connect via the ZTEdge cloud.
Cybersecurity requires many levels of protection. Most attacks don’t succeed because of a single point of failure – they succeed due to a series of multiple failures, as in this attack.
Combining diligent cybersecurity policies with the comprehensive, state-of-the-art Zero Trust security is the best way to avoid falling victim to a cyberattack.
About Nick Kael
A cybersecurity expert with over 20 years of experience in web technologies, architecture, infrastructure, networking and dev environments, Nick is responsible for solution management, technology strategy and technology partnerships. Nick was previously Symantec Group CTO for Global Service Providers, following his tenure as Director of the Chief Architect Team for Channel and Service Providers at Zscaler and an earlier position in the Symantec CTO organization. His certifications include CEH7, CCSK, BCCPP, Bluecoat Blue Knight, MCSE + Security, CCDP, CCNA, CCSA, VTP5 and VTSP5.