While it is true that this attack was carried out while being funded by the Russian government, it was an attack that occurred back in May 2021 while only just recently being reported on so it would have little to do with the recent political conflicts involving Russia. The FBI and the CISA (Cybersecurity and Infrastructure Security Agency) have released information that this attack essentially used flawed MFA (Multifactor Authentication) settings as an entry point where they then utilized an already known vulnerability PrintNightmare (1). The victim of this crime is an undisclosed non government organization and it is unclear exactly what information has been exfiltrated, but it is clear that the attackers had access to cloud documents and email accounts.
What is PrintNightmare?
Microsoft put out a report that covered the severity and details of this vulnerability on July 1st 2021. The vulnerability employs the Windows Print Spooler program which when acting as intended, is used to manage all print jobs as they are received by the computer. When this program is exploited, the program improperly performs privileged file operations which grants attackers the opportunity to execute arbitrary code. RCE or remote code executions is a serious issue when it comes to vulnerabilities as it essentially grants bad actors system privileges which would allow free reign to view data, delete data or even install programs which they would not have been able to otherwise (2). It is because of this issue that Microsoft had rated this exploit a 8.8/10 in the common vulnerability scoring system (CVSS)(3).
How was the attack done?
Usually MFA is an important part of making sure that intruders stay out of accounts they are not supposed to access. This attack on the other hand made use of Cisco’s Duo MFA system which had a default configuration allowing inactive accounts to be reactivated without the need of being authenticated (4). Because of this oversight, all that the attackers had to do was (5):
- Find an inactive account that has a poor password.
- Brute force the weak password, then reactivate the account (skipping having the account verified).
- Implement the PrintNightmare exploit to escalate their permissions.
- Use these system permissions to completely disable MFA for all the accounts
At this point the attackers were well inside the network and could continue to create accounts to snoop on data stored on the cloud server and within the other users’ emails.
Takeaways
It is clear that there were many flaws that went wrong for this attack to had been carried out; from the faulty default settings of Duo MFA, the NGO’s failure to understand the settings related to their own network’s security, or even Microsoft for having been relatively slow when implementing a fix for the known exploit. But the simplest flaw, and one that any of us could be responsible for, is creating a weak password. Without finding an account that had a relatively simple password that the attackers could guess, there would not have been an entry point for the attack (5). Making a complex password that is hard to crack is not only beneficial for your own security but as this example showed, when all else fails, having a good password is also beneficial for everyone on the shared network.
Here is a video that goes over some things to consider when making a good password:
Sources:
(1) https://thehackernews.com/2022/03/fbi-cisa-warn-of-russian-hackers.html
(3) https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
(4) https://www.cisa.gov/uscert/ncas/alerts/aa22-074a
(6) https://www.youtube.com/watch?v=pMPhBEoVulQ&t=102s
(7) https://www.ft.com/content/0aa7a6e0-ca52-11e9-af46-b09e8bfe60c0
Wait what another one??? I am not surprised to see another cyberattack which is funded by the Russian government. However, I am unclear how they benefited from this attack. After reading so many blog post about how to chose a strong password, I think a strong password is the only thing between you and an intruder. Even if we have TFA or MFA enabled, a weak password will not prevent an intruder from successfully hacking you. This blog is a great example of how the hacker was able to find a loophole in the MFA and brute force the weak password. So lesson learned always choose a strong password!!
Hey, great post! Russia sure takes the number 1 spotlight when it comes to executing cyber attacks. I have read various reports on Russia’s attempt to subvert Ukrainian government websites. Therefore, this does not come as a huge surprise to me. Also, I liked how you mentioned how one can protect their password from external attacks. I think people take passwords for granted (I sure do) and many time I have to remind myself that strong passwords will keep me safe in the long run
This is a really good example. Brute force cracking weak passwords is often the most common method used by hackers. Still, many people use weak passwords for simplicity’s sake. In particular, attacks sponsored by other governments are more capable of brute force cracking large numbers of weak passwords, leading to the disclosure of users’ private information. In this case I think more service providers should choose not to trust users’ policies and mandate complex passwords. For example, it must contain numbers and special characters to help users protect their privacy.
Wow. This just goes to show truly how important it is to have a strong password. As you stated in the article, had the user created an account with a strong password, this attack could have been prevented. Of course the security practices of Cisco allowing inactive accounts to bypass authentication played a large role in allowing this attack to happen, but it feels almost impossible to defend yourself against a state-funded cyberattack. It seems like they can find any vulnerability and find a way to exploit it. I cannot imagine the amount of resources they had at their disposal in order to execute this attack.
In my opinion, cyber attacks like these will only become more and more commonplace. It is the newest way to wage “war” without the cost of any lives, and in some cases can be as valuable as going to a country for say… oil. Data becomes more and more valuable as our lives become more and more immersed with technology and whoever controls all of that information may one day control everything. As others have already said, I like that you discussed the real culprits here seem to be weak brute forceable passports and a flawed MFA system, but also microsoft themselves for not fixing a known flaw in their system. As conflicts rise between Russia and the world, I think it would be very interest to see how many more cyber attacks we see unfolding, we’ve already to some extent seen “hacker groups” such as Anonymous targeting Russia so what more is to come?
For sure. In World War I, aerial combat entered the fray. In World War II, tanks became commonplace. Now, cyberwarfare is the new norm for combat. Hospitals and theatres of war are similar in that people’s lives depend on machines, and if the integrity of the these machines can be compromised, many are in danger. National economics, military equipment, supply chains, etc. can all be disrupted through cyber attacks, making cyberwarfare essential to winning a war.
This just goes to show, yet another example of how often times the best practices are the simplest ones. I wonder if the future holds an alternative method to pass-phrases for system authentication. These types of attacks seem to be all to common, and not only jeopardize individual accounts, but entire networks as a whole. It doesn’t make sense for one weakpoint in a system to allow an intruder to wreak this much havoc, but unfortunately this is the reality of things today.
Great post! The cyber war is getting more and more hectic. We can see that the more we try to implement stronger ways to keep data protected the more ways it is able to be hacked into. It’s getting more and more complicated. I wonder what the limit is. I also really liked that you added a video to help people create better passwords!
This PrintNightmare vulnerability is very interesting. I wonder how a program designed to manage print jobs could have the capability of performing privileged file operations and executing code remotely. Then again, I may be confused as to what exactly is entailed by “print jobs”.
Really interesting post, and it reminds me of the old adage “a chain is only as strong as its weakest link,” which fits this perfectly. A lot of things I have read about, regarding cybersecurity issues, normally link to something simple. Like a corporation neglecting to do some basic security principle, or users having weak passwords. Looking back at one of the previous worksheets (where we researched common passwords) it was interesting to see how a lot of the most common passwords are simple 2-4 syllable words (which makes them easy to guess). It is a bit comical to think about how we haven’t really gotten any better (as users) at creating passwords, and how corporations still make quite poor decisions.
I like this informative post! It is actually quite unclear according to the post about how Russia benefitted from this attack and how this is gonna be helpful for them in the future amidst of this war scene that is going on currently. However, I believe the most important takeaway from this post was how they actually planted the attack. It is actually amazing to see the different methods that hackers come over to steal information even if there is a minimal chance of doing so. Even though it will take a longer time to guess the password of any user as long as there is a company security policy about the passwords, however the user should be cautious enough about other factors such as storing passwords, sharing passwords etc.
For sure. In World War I, aerial combat entered the fray. In World War II, tanks became commonplace. Now, cyberwarfare is the new norm for combat. Hospitals and theatres of war are similar in that people’s lives depend on machines, and if the integrity of the these machines can be compromised, many are in danger. National economics, military equipment, supply chains, etc. can all be disrupted through cyber attacks, making cyberwarfare essential to winning a war.
Again, at the end of the day, it shows that the easiest path to any kind of software is through taking advantage of human error. No matter how advanced the cryptographic systems implemented are, or anything, I don’t think they’ll ever have the power to protect any kind of account with a weak password
That was a very interesting read. But after hearing about the multitude of “supposed” attacks by the Russian government, I feel very concerned. Foreign governments and using cyber warfare to sabotage another foreign state is nothing new and even my own country has been a subject of that. Back in 2016, a massive scale bank heist took place where hackers stole millions of dollars from the national bank of my country, Bangladesh and it is suspected that this was carried out by North Korea. Such cyber attacks put regular civilians in danger too and hence I feel even more anxious after hearing about Russia’s activities in the cyber space.
Moreover, the fact that brute force attacks are still prevalent nowadays even thought the public has been made aware of how risky weak passwords made from birth days and first names are is very disappointing. There should be more awareness campaigns which should teach the general public more about general Dos and Don’ts when it comes to the internet.
Interesting Post! The joint research was published by the National Cyber Security Centre in the UK and US agencies including the National Security Agency. It warned that a Russian state-backed hacker group known as Sandworm had developed a new type of malware called Cyclops Blink, which targets firewall devices made by the manufacturer Watchguard to protect computers against hacks.
It’s quite interesting to see the very things we’re learning about in this course in use in real-time in a global event. However, it certainly makes me wary, as cyberattacks used by governments against other countries cause you to wonder if any individual has even an iota of privacy at all.
This is quite a gripping article regarding the PrintNightmare vulnerability. What I can take from the article at the end is that cyber-attacks have a high potential to become one of the most significant means to wage war without affecting human lives. As we all can agree, data is the most valuable asset in today’s world. Yet, as mentioned in the article, we ourselves are primarily responsible for these hacks taking place; after all, many people still choose to use simple and easy-to-crack passwords. No wonder brute force cracking weak passwords is the most regular way taken by hackers. On the other hand, Russia is indeed the centre of attention when it comes to deploying cyber-attacks; hence, it was not a great surprise to me when I read about it in the article. However, as more and more chaos rise between Russia and the other countries, it would be interesting to witness the different other methods of messing with people’s online data and security. All in all, for now, the most we can do is to ensure we have strong passwords to tackle the current common cyber attacks.
Great post. In an odd way I’m impressed with the creativity of the hackers here since they managed to exploit what’s usually a great security feature (MFA) to gain access to private information. It’s an excellent example of how protocol failures can work hand in hand with software failures to exacerbate security issues. As you stated, had users chosen strong passwords for their accounts, the hackers would not have been able to exploit this security vulnerability. This could have been avoided if the NGO had implemented NIST aligned password policies.
Great post! All the post I have read so far have convinced me that most of the times people are the greatest vulnerability in most systems. The administrator of the MFA, did not configure it settings properly and users used weak passwords.
Good job on this post!! It’s quite concerning how frequent the cyberattacks Russia has been doing have been occurring, especially considering the actions of the country with Ukraine. Hopefully this doesn’t further the potential of a third world war, it is quite scary to think about.
Great post, we should reccomend ourselves using very strong passwords as this saves us from our accounts being hacked way easily, multi factor authenticaion should not be penetrated easily like that, it should have more protection, but i guess technology keeps on evolving everyday so new techniques come as we go forward.
The recent news regarding Russia and cyber attacks has definitely been concerning. Throughout this course, I’ve really learnt that strong passwords is definitely very important. Great post!
This is a very interesting article about the Print Nightmare flaw. What I can deduce from the conclusion of the paper is that cyber-attacks have a strong potential to become one of the most important means of waging war without causing human casualties. Data is, without a doubt, the most valuable asset in today’s world. However, as stated in the article, we are the primary perpetrators of these breaches; after all, many individuals continue to use basic and easy-to-crack passwords. It’s no surprise that brute force cracking weak passwords is the most common method used by hackers.
This is a really interesting post! I have also followed the news. They even use AI drones for invasion in Ukraine. Many of the posts I’ve reviewed thus far have educated me that individuals are usually the most vulnerable part of most systems. But still a nice post for me!
Interesting Post ! Out of topic information, 64% of companies have experienced web-based attacks. 62% experienced phishing & social engineering attacks. 59% of companies experienced malicious code and botnets and 51% experienced denial of service attacks. small organizations (those with fewer than 500 employees) spend an average of $7.68 million per incident.
Great post! This is a pretty interesting example of the weakest link in a security system, since there were 2 weak links (Cisco’s MFA and PrintNightmare) which both had to be exploited to gain access to the system. On a slightly unrelated note, Window’s Print Spooler and Print Service in general seems like a complete mess, especially compared to how well printing works on Linux. I imagine it’s a product of Windows building upon an ancient codebase, and maybe needs to rebuilt from the ground up.
This was a great post to read! I think this is incredibly relevant to what’s currently going on between Russia and Ukraine and it goes to show how important of a topic cybersecurity really is. Hopefully, people can get more aware about these systems, as they can often be the weakest link for these systems.
This is a very informative post. Since the conflict between Russia and Ukraine started there have been multiple cyber attacks happening, and I think this is extremely relevant to what’s happening and its importance of it. Considering how important a password could be it is important that everyone has a complex password that is hard to figure out.
Hi, this was a great article to read about. Incidents like this makes me change my password to my online accounts frequently and more securely. It was interesting to see how the hackers can spot the weakest spots and take advantage of it! It really feels like if the hackers are smart enough and have dedication, they will be able to hack through anything.
It seems like every day I would hear about another Russian Cyber attack occurring, though it always intrigues me to see how they are done. You mentioned this happened back in 2021 and that it was on an undisclosed non-government facility and was only just reported. No information was given about what was taken but it begs the question; what information was worth doing this? It’s interesting though how these hackers can just up and finds all these exploits. Brute forcing is a very common method that has been used for a very long time, and appears to still work for things such as these. Microsoft released information on this vulnerability which in turn could have shown further unwanted light on the situation, inviting more malicious behavior to other unidentified people. We as consumers should take a lesson from this article and make sure that when passwords are created, they are complicated, yet memorisable. This will save you from exploits such as the “PrintNightmare.”
Absolutely love that final takeaway. Ultimately, it falls on the user to protect their digital information with a strong password. It seems like common knowledge but there are many articles about an attacker utilizing weak passwords as an entry point and time and time again the fault lies with the victim. This obviously not apply to every cyberattack case but it is important to keep this in mind. Great post!
Great post. This shows that even with TFA, and all of the security in the world, if you have a weak password then you really aren’t doing yourself any favors. In your opinion, do you think that this incident shines negatively on TFA as a whole, since there was such a glaring issue with the TFA software used?
Thanks for sharing the blog. The first thing that amazed me was the fact that there may be tons of successful cyberattacks happening everyday that aren’t not publicly reported. Those that are known are only a fraction of a very large number scared me. Secondly, I never expected “allowing inactive accounts to be reactivated without the need of being authenticated” was a thing. It is indeed a hole in security. In other hands, it does make sense to the fact that some users may forget how to authenticate their inactive account or being discouraged from reactivating if the process is too complicated.
The fact they said in the article it seemed to be a independent and not the Russian government, it reminded me of movie scenes where a super genius talks about how they just access important pentagon documents when they were 12 years old and bored. Its interesting to see how there really are people out there that can figure ways into what we view as some of the most secure documents in the world.
Great Post!
It is sad to see these cyber attacks continue after the Ukraine/ Russian war. It is good to know that government officials are aware of PrintNightmare, as it is a huge security risk to users. I was interested to learn that vulnerable users cloud documents and email accounts were compromised from this crime. Hopefully they find out who is behind this whole mess.