{"id":21386,"date":"2022-03-21T18:09:12","date_gmt":"2022-03-21T18:09:12","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=21386"},"modified":"2023-05-12T15:48:36","modified_gmt":"2023-05-12T15:48:36","slug":"misconfigured-mfa-printnightmare","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/threats\/misconfigured-mfa-printnightmare\/","title":{"rendered":"Defending Against Misconfigured MFA & PrintNightmare Vulnerabilities"},"content":{"rendered":"

Using misconfigured multi-factor authentication (MFA)<\/a> and an unpatched Windows vulnerability, Russian state-sponsored hackers were able to breach a non-governmental organization (NGO) and escalate privileges, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI revealed<\/a> last week.<\/p>\n

By using a misconfigured Cisco Duo MFA implementation to force enrollment of a new device, the hackers were then able to use the “PrintNightmare” Windows Print Spooler<\/a> vulnerability (CVE-2021-34527<\/a> and CVE-2021-36958<\/a>) to obtain administrator privileges.<\/p>\n

Inactive Accounts and Default Configurations<\/strong><\/h2>\n

Hackers gained initial access by brute-forcing an existing account via “a simple, predictable password” to enroll a new device in the MFA procedures, the agencies said. The targeted organization was using the default MFA configuration, so it was possible to re-enable MFA for a dormant account with a new device owned by the attackers.<\/p>\n

MFA was automatically disabled because the account was inactive for a long period. Unfortunately, the account was still enabled in Active Directory<\/a>, which allowed hackers access to the network.<\/p>\n

After that, they modified a domain controller file, c:\\windows\\system32\\drivers\\etc\\hosts, to redirect all MFA calls (e.g., logins) to localhost instead of the MFA server.<\/p>\n

They exploited a default policy in MFA protocols called “Fail open” that disables verification if the MFA server is unreachable. They then authenticated to the victim’s VPN<\/a> to initiate a remote desktop protocol (RDP)<\/a> connection to the domain controllers. That\u2019s how they obtained credentials for other domain accounts and replicated the operation to bypass MFA.<\/p>\n

This unfortunate turn of events shows how adversaries can quickly sneak into a system and exploit vulnerabilities to escalate privileges and compromise the whole network. Even with such significant flaws, proper network segmentation<\/a> and zero trust<\/a> could have reduced the damage, perhaps blocking the attack at some point.<\/p>\n

In privileged<\/a> areas, there are no small problems.<\/p>\n

Also read: Top 9 Active Directory Security Tools<\/a><\/p>\n

PrintNightmare Remains a Struggle<\/strong><\/h2>\n

Admins<\/a> have struggled<\/a> with PrintNightmare fixes and patches, and hackers can still exploit a vulnerable Windows Print Spooler service to elevate their privileges.<\/p>\n

Print spooler is a service in Windows that manages all print jobs sent to the print server. You can actually observe the service in Windows by opening the services.msc utility. It works great but researchers found a bug in the driver installation procedure that allows bypassing authorization using a RPC (Remote Procedure Call) function to install a malicious DLL and ultimately execute arbitrary code.<\/p>\n

There are multiple POCs (proofs of concept) available publicly like this python script<\/a> that work on a “fully patched Domain Controller.” Microsoft partially mitigated the bug but not the privilege escalation. Applying the patches does not eliminate all risks but not doing so would be a significant risk.<\/p>\n

Of course, you could disable the Print Spooler service but that would disable print both locally and remotely, which does not look like a valid solution:<\/p>\n

\"disable<\/p>\n

Print Spooler has a long history of bugs and misdiagnosis, but CVE-2021-34527 allows compromising the entire Windows system and affects an extensive range of Microsoft products.<\/p>\n

The bug itself does not require high privileges, as any authenticated user is enough to attack domain controllers:<\/p>\n

\"printnightmare\"
Source: Twitter \u2013 Benjamin Delpy<\/figcaption><\/figure>\n

Mitigations that would consist of restricting permissions for driver installations could be challenging because you have to modify Windows registry entries, so if it\u2019s not executed correctly, you might damage the system.<\/p>\n

Also read: Best Patch Management Software<\/a><\/p>\n

Protecting Against PrintNightmare, MFA Exploits<\/strong><\/h2>\n

FBI and CISA recommend a long list of mitigations and security and network best practices, which can consist of hardening login policies and restricting admin privileges but also monitoring remote access or unapproved protocols. Here is the full list:<\/p>\n

Mitigations<\/strong><\/h3>\n