Russia-Backed Hackers Use Windows Flaw To Disable MFA

Published: April 25, 2022 on our newsletter Security Fraud News & Alerts Newsletter.



Two of our heavy-hitter U.S. security agencies, the FBI (Federal Bureau of Investigation) and CISA (Cybersecurity & Infrastructure Security Agency) recently released a warning about Russian nation-state hackers. They’ve exploited a Windows 10 printer spooler flaw allowing them to bypass multi-factor authentication (MFA). Once inside a system, they collected the data they were after – the cloud and email accounts belonging to the victim.


The security that MFA provides is a vital feature keeping data systems protected. MFA ensures those accessing systems are who they say they are. When a flaw results in bad actors getting around MFA is discovered, and before a patch is created, it can be exploited any number of ways. And when Russian-sponsored actors are behind an MFA security exploit, there’s reason enough for the FBI, CISA, and Microsoft to issue public warnings.


The FBI, CISA and Microsoft Warnings


In their recent joint Cybersecurity Advisory, CISA explains why this public warning came to be as “…to warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability. As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network.”



A security update by Microsoft labels this flaw as “Windows Print Spooler Remote Code Execution Vulnerability” or CVE-2021-34481. Their Executive Summary post explains “A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”


Here in the U.S., as CISA and the FBI warn, Russia will likely continue exploiting this security vulnerability. Those organizations using Windows 10 should be particularly interested as this attack could be leveled at them next. The threat group targeted an NGO (non-government organization) that are typically non-profit, organized groups with no ties to a government. Some of these groups provide humanitarian aid and other needed services, from small community organizations to national and international in size.


The top advice in all situations like this is to make sure all systems are updated with the latest patches. If you are using software that is no longer supported by the developer, seriously consider upgrading to a version that is.


If MFA is an option, enable it. The “multi-factor” part could include entering a random code that is sent via text, a randomly generated number from a code generator app, or even a small hardware piece that is inserted into your computer. Many companies now offer several options to choose from with respect to setting up MFA.


Tensions are high with respect to anything having to do with Russia right now. And it’s not likely cyberattacks will cease any time soon. Do a check to make sure you are as protected as you can be.

Keep up to date: Sign up for our Fraud alerts and Updates newsletter

Want to schedule a conversation? Please email us at advisor@nadicent.com

2 views0 comments