- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
CISA: Fix MFA and Patch Promptly to Stop Russian Attackers
The US authorities have issued a new alert warning of Russian state-backed malicious activity involving exploiting a well-known bug in Windows Print Spooler discovered last year.
The US Cybersecurity and Infrastructure Security Agency (CISA) explained that Russian actors had been spotted exploiting the PrintNightmare bug (CVE-2021-34527) back in May 2021, targeting an unnamed NGO.
This was part of an attack chain that began when they exploited a misconfigured account set to default multi-factor authentication (MFA) protocols, allowing them to enroll a new device for MFA and access the victim’s network.
PrintNightmare then enabled the attackers to run arbitrary code with system privileges and subsequently access cloud and email accounts for document exfiltration.
The alert lists multiple mitigations that CISA urges all organizations to apply, including enforcing MFA and reviewing configuration policies to protect against “fail open” and re-enrollment scenarios.
It also asks organizations to make sure inactive accounts are disabled across Active Directory and MFA systems and that patches are prioritized for known exploited vulnerabilities.
“At CISA, we are great believers in MFA. It remains one of the most effective measures individuals and organizations can take to reduce their risk to malicious cyber activity. This advisory demonstrates the imperative that organizations configure MFA properly to maximize effectiveness,” said CISA director Jen Easterly.
“Now, more than ever, organizations must put their shields up to protect against cyber-intrusions, which means applying the mitigations in this advisory including enforcing MFA for all users without exception, patching known exploited vulnerabilities, and ensuring MFA is implemented securely.”
The PrintNightmare zero-day was first revealed accidentally by Chinese researchers in July 2021. It’s a remote code execution vulnerability that exists when the Windows Print Spooler service improperly performs privileged file operations, enabling attackers to run arbitrary with system privileges.
