We’ve previously released alerts regarding the PrintNightmare (CVE-2021-34527) vulnerability and it continues to pose a serious threat to environments.
The FBI and CISA have released a joint advisory warning “that Russian state-sponsored cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability.” The known vulnerability referenced is PrintNightmare with which threat-actors used a misconfigured account, with default MFA protocols, to enroll a new device and access the victim’s network. The attackers used Cisco’s Duo MFA to gain access to cloud and email accounts.
The mitigation steps outlined are as follows:
- Enforce MFA and review configuration policies to protect against “fail open” and re-enrollment scenarios.
- Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems.
- Patch all systems. Prioritize patching for known exploited vulnerabilities. (CISA Vulnerabilities Catalog LINK)
For more technical details and additional CISA resources: LINK