Russian state-sponsored actors target MFA through weak passwords

A recent cybersecurity advisory from the FBI and Cybersecurity and Infrastructure Security Agency (CISA) warns that Russian state-sponsored cyber actors are gaining network access by exploiting default multi-factor authentication (MFA) protocols, and the “PrintNightmare” vulnerability.

PrintNightmare is a zero-day Windows print spooler vulnerability that when exploited, enables remote code execution and the ability to gain local system privileges.

This has given businesses across the globe a stark reminder of why managing passwords is critical, regardless of whether multi-factor authentication (MFA) is in use or not, according to Steven Hope, CEO of authentication specialist Authlogics.

He says the advisory points to Russian state-sponsored cyber actors using a technique to disable MFA and compromise networks and high-value accounts.

The example given was an attack on an NGO that took place in May last year. The key to the technique used was simply guessing the password. Compounding the situation, the default configuration setting for its Duo MFA system allowed the enrolment of a new device for dormant accounts.

“It should serve as a wake-up-call to any organisation,” says Hope. “It’s true that MFA can offer good protection, in fact, a note alongside the advisory suggests users who enable MFA are up to 99% less likely to have an account compromised.”

However, he stresses that poorly implemented MFA might make it a bit harder for a determined hacker, but it certainly won’t prevent them from getting through the door. This is particularly true if the first line of defence is a weak password.

The tremendous scale of the password problem cannot be underestimated, stresses Hope. “In fact, our own database of breached accounts currently stands at over four billion records, and it is growing by the day.”

He says this includes 12 000 US State Department credentials known to have been breached. “So, it should come as no surprise that a Russian state-sponsored cyber actor, hacking collective or lone wolf, will make password breach dumps on the dark Web one of their first ports of call.”

But it’s not all doom and gloom, says Hope, as vulnerabilities of this nature can be identified and rectified right now and at zero cost.

This starts with checking whether any account, active or dormant, has ever been breached. Armed with this information businesses can enforce action to ensure passwords connected to the breached accounts are changed.

“Accounts are being breached at an alarming rate, so this process needs to form the basis of an ongoing password management strategy if the bad guys are going to be kept on the other side of the door.”

Considering the considerable expense involved with employing MFA, he says if the weak password problem isn't addressed, the businesses is effectively back to a single factor of protection, and this attack exposes the vulnerability.

“A good MFA solution should always be backed up by a good password security solution.”

Anyone wanting to test their company domain against the world’s largest password breach database and receive a free obligation report, can click here.