{"id":2728,"date":"2022-03-19T18:48:58","date_gmt":"2022-03-20T00:48:58","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/?p=2728"},"modified":"2022-03-19T18:49:01","modified_gmt":"2022-03-20T00:49:01","slug":"another-russian-cyber-attack","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/2022\/03\/19\/another-russian-cyber-attack\/","title":{"rendered":"Another Russian Cyber Attack!"},"content":{"rendered":"\n
\"\"
(7)<\/figcaption><\/figure>\n\n\n\n

While it is true that this attack was carried out while being funded by the Russian government, it was an attack that occurred back in May 2021 while only just recently being reported on so it would have little to do with the recent political conflicts involving Russia. The FBI and the CISA (Cybersecurity and Infrastructure Security Agency) have released information that this attack essentially used flawed MFA (Multifactor Authentication) settings as an entry point where they then utilized an already known vulnerability PrintNightmare<\/em> (1).\u00a0 The victim of this crime is an undisclosed non government organization and it is unclear exactly what information has been exfiltrated, but it is clear that the attackers had access to cloud documents and email accounts.<\/p>\n\n\n\n

\n\n\n\n

What is PrintNightmare<\/em>?<\/h4>\n\n\n\n

Microsoft put out a report that covered the severity and details of this vulnerability on July 1st 2021. The vulnerability employs the Windows Print Spooler program which when acting as intended, is used to manage all print jobs as they are received by the computer. When this program is exploited, the program improperly performs privileged file operations which grants attackers the opportunity to execute arbitrary code. RCE or remote code executions is a serious issue when it comes to vulnerabilities as it essentially grants bad actors system privileges which would allow free reign to view data, delete data or even install programs which they would not have been able to otherwise (2). It is because of this issue that Microsoft had rated this exploit a 8.8\/10 in the common vulnerability scoring system (CVSS)(3).<\/p>\n\n\n\n

\n\n\n\n

How was the attack done?<\/h4>\n\n\n\n

<\/p>\n\n\n\n

Usually MFA is an important part of making sure that intruders stay out of accounts they are not supposed to access. This attack on the other hand made use of Cisco\u2019s Duo MFA system which had a default configuration allowing inactive accounts to be reactivated without the need of being authenticated (4). Because of this oversight, all that the attackers had to do was (5):<\/p>\n\n\n\n

  • Find an inactive account that has a poor password.<\/li>
  • Brute force the weak password, then reactivate the account (skipping having the account verified).<\/li>
  • Implement the PrintNightmare <\/em>exploit to escalate their permissions.<\/li>
  • Use these system permissions to completely disable MFA for all the accounts<\/li><\/ul>\n\n\n\n

    At this point the attackers were well inside the network and could continue to create accounts to snoop on data stored on the cloud server and within the other users\u2019 emails.<\/p>\n\n\n\n

    \n\n\n\n

    Takeaways<\/h4>\n\n\n\n

    It is clear that there were many flaws that went wrong for this attack to had been carried out; from the faulty default settings of Duo MFA, the NGO\u2019s failure to understand the settings related to their own network\u2019s security, or even Microsoft for having been relatively slow when implementing a fix for the known exploit. But the simplest flaw, and one that any of us could be responsible for, is creating a weak password. Without finding an account that had a relatively simple password that the attackers could guess, there would not have been an entry point for the attack (5). Making a complex password that is hard to crack is not only beneficial for your own security but as this example showed, when all else fails, having a good password is also beneficial for everyone on the shared network.\u00a0<\/p>\n\n\n\n

    Here is a video that goes over some things to consider when making a good password:<\/p>\n\n\n\n

    \n