Summary: The FBI and CISA are warning that Russian APTs have been, as early as May 2021, and are using brute force attempts to gain access to old Active Directory accounts that have been un-enrolled from Duo MFA due to a long period of inactivity thus allowing them to register a new MFA device. Once access is granted, they’re leveraging PrintNightmare (CVE-2021-34527) to obtain administrative credentials. They then modify the domain controller’s local hosts file to redirect traffic to the loopback address (127.0.0.1) rather than the Duo server. By preventing communication with the MFA server, Duo fails open by default and effectively bypasses MFA for all domain accounts. Failing open by default is not exclusive to Duo and could be the case with any other MFA implementation.
What can you do? Read through the Joint Cyber Security Advisory AA22-074A. It’s packed with best practices and mitigation recommendations and will be worth the effort. https://www.cisa.gov/uscert/ncas/alerts/aa22-074a
