The CSA and FBI have collaboratively conducted various types of analysis over hacking activity. There have been speculations on Russian State-Sponsored threat actors and their targets over Ukraine and other parts of the world.
Recently, they have exploited an NGO that was using Cisco’s Duo MFA which had enabled access to cloud and email accounts for stealing documents.
The FBI has also listed the steps to mitigate, Techniques, tactics and Procedures, Indicators of Compromise that can be used to protect against Russian State-Sponsored Hackers.
How did they exploit it?
In early May 2021, the FBI noted that the Russian State-Sponsored hackers were targeting an NGO and exploited a flaw in that system relating to MFA and to move inside the network.
The Hackers initially gained access to the network via compromised credentials. Later, they enrolled in a new device for the compromised account. Hackers were using Brute force techniques to extract credentials of an account. Accounts with very simple and predictable passwords were compromised.
Due to long inactivity on the compromised account, MFA is disabled and especially the accounts were not removed from the active directory. Hackers leveraged these accounts and took over them.
For privilege escalation, they used a known vulnerability called “PrintNightmare” and gained access to the system.
After escalating privileges, they managed to change the C:windowssystem32driversetchosts file to modify MFA. They redirected the hosts’ file and changed the Duo Server IP to localhost.
This prevented the validation of devices associated with the accounts. Another interesting thing is, Duo has a default value as “Fail Open”. This has disabled MFA authentication for the device while connecting to VPN.
Once they got access to the Virtual Private Network, they used Remote Desktop Protocol to connect to Windows Domain Controller. They used these accounts to move laterally around the organisation.
Indicators of Compromise
The following processes might indicate that the systems can be compromised.
- ping[.]exe
- regedit[.]exe
- rar[.]exe
- ntdsutil[.]exe
Hosts file modifications include
127.0.0.1 api-<redacted>.duosecurity[.]com
The following IP addresses were identified that were used by the threat actors.
- 45.32.137[.]94
- 191.96.121[.]162
- 173.239.198[.]46
- 157.230.81[.]39
Mitigations
- Enabling MFA to all the users as soon as possible
- Configure new policies for “fail open”
- Ensure to remove all the accounts that are presumed deactivated.
- Update all the software and patches
- Monitor for suspicious log
- Not letting employees use the same login credentials to many accounts.
