Project Hyphae
Search

MFA? We don’t need no stinking MFA!

Share This Post

Summary: The FBI and CISA are warning that Russian APTs have been, as early as May 2021, and are using brute force attempts to gain access to old Active Directory accounts that have been un-enrolled from Duo MFA due to a long period of inactivity thus allowing them to register a new MFA device. Once access is granted, they’re leveraging PrintNightmare (CVE-2021-34527) to obtain administrative credentials. They then modify the domain controller’s local hosts file to redirect traffic to the loopback address (127.0.0.1) rather than the Duo server. By preventing communication with the MFA server, Duo fails open by default and effectively bypasses MFA for all domain accounts. Failing open by default is not exclusive to Duo and could be the case with any other MFA implementation.

What can you do? Read through the Joint Cyber Security Advisory AA22-074A. It’s packed with best practices and mitigation recommendations and will be worth the effort. https://www.cisa.gov/uscert/ncas/alerts/aa22-074a



Reach out to our incident response team for help

More To Explore

Information Security News 3-25-2024

Developer Sues Minnesota Contractor After $735K Payment Disappears Article Link: https://www.constructiondive.com/news/beck-sues-ryan-fsa-title-cybercrime/710708/ Truck-to-Truck Worm Could Infect and Disrupt Entire US Commercial Fleet Article Link: https://www.theregister.com/2024/03/22/boffins_tucktotruck_worm/ NIST’s

Information Security News 3-18-2024

Threat Actors Leaked 70 Million Records Allegedly Stolen From AT&T Article Link: https://securityaffairs.com/160627/data-breach/70m-att-records-leaked.html Former Telecom Manager Admits to Doing SIM Swaps for $1,000 Article Link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.