The war in Ukraine has put the entire world on high alert as the aggressor, Russia, extends its hostility not just to Ukraine but to sympathetic nations that try to come to the invaded nation’s aid. Unsurprisingly, as both a traditional rival and prominent sympathizer, the USA is at the top of the list. The hostility, however, comes not in the form of direct attack but cyber warfare.
Even before the sustained automated digital intrusions various US agencies and companies are experiencing now, Russia had already been using state-sponsored agents to test the waters. And on at least one occasion, human negligence provided an alternate route to bypass multifactor authentication safeguards.
In May of 2021, a Non-Government Organization experienced a rapid and successful intrusion of their systems despite having multifactor authentication protocols in place. State-sponsored Russian hackers exploited a documented vulnerability known as “PrintNightmare,” a security hole in print spooler software, which coordinates printing jobs among computers on a network.
The PrintNightmare vulnerability, once exploited, allowed the hackers to spread their control and gain system privileges within the network. Once inside, they could disable multifactor authentication safeguards, edit registries, and browse directories at their leisure.
How It Happened
In this case, true MFA implementation would have prevented the state-sponsored hackers from gaining access to the system. Unfortunately, the hackers took advantage of older systems still in place. The intrusion occurred when the hackers discovered a registered but inactive account that still used password systems set to default.
By using traditional “brute force” methods to figure out the default password through the process of elimination, the hackers eventually gained access to the system without ever having to encounter the much stronger multifactor authentication systems. By using this “back door” of an inactive but still valid user account, they were able to register themselves within the MFA system and then use that as the foundation to move into the rest of the system, find the PrintNightmare vulnerability, and then exploit that to seize control of the network’s functions.
The exploitation of an in-system vulnerability would never have occurred with more diligence. Allowing inactive accounts to remain valid with default passwords still in place provides a critical loophole to bypass much stronger multifactor authentication systems.
For a more secure system, always be vigilant. When switching to MFA safeguards, disable the older, more vulnerable password accounts and systems. A chain is only as strong as its weakest link.
If you’re interested in using the FIDO protocol and moving to a passwordless authentication system, read here to learn more.