State-sponsored hackers recently have implemented a clever trick to disable multi-factor authentication and exploit a critical Windows 10 vulnerability in the print spooler to break into domain-based accounts.  By gaining access this way hackers are able to access a victim’s cloud and email data.

This compromise has been in effect as early as May 2021, hackers were able to combine a default configuration issue in a Multi Factor Authentication application known as Duo, in conjunction with a Windows 10 flaw to enact the compromise.

Microsoft was able to patch the elevation of privilege issue in August, however once inside a network, the vulnerability allowed an attacker to create new accounts in Windows 10 based computers.

In the case of the NGO (Non-Government Organization) who fell victim to this attack, it was ultimately a weak password that allowed the attackers to use a brute force method to eventually guess the proper password and gain access to the account.  After compromising the account, the Microsoft Windows 10 flaw mentioned above came into play, with the attackers using it to escalate their rights to administrative level, then allowing them to disable the Multi-Factor Authentication security originally enabled on the account.

The Cybersecurity and Infrastructure Security Agency (CISA) report stated “This change prevented the MFA service from contacting its server to validate MFA login – this effectivity disabled MFA for active domain accounts because the default policy of Duo for Windows is to ‘Fail open’ if the MFA server is unreachable”.

Using the methods above, hackers were able to create new accounts with elevated access, further compromising victims’ network, cloud storage, email accounts, and access to content.

How Can Users Mitigate the Chances of this Compromise

CISA outlines several methods related to and beyond utilizing MFA implementations.  The MFA mitigations include:

Before implementing MFA, organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios

Implement time-out and lock-out features in response to repeated failed login attempts.

Ensure inactive accounts are disabled across your systems.  If a user’s account is no longer needed, ensure the account is disabled or removed entirely.

Keep Windows OS up to date with latest security and feature updates.  Keeping your OS up to date can help ensure that vulnerabilities like the one that allowed hackers to elevate their own accounts will be patched.

Possibly most importantly, ensure that users have strong and unique passwords.  A strong password will prevent account break-ins from automated brute force attacks like the one used in this attack.

By following the above recommendations, you can ensure that your organizations users and data remain secure.  Natural Networks is a fully-managed IT services provider, and we can help ensure your company accounts and data stay secure.  If you would like to learn more about how we can help with your IT infrastructure and security, give us a call today!