{
	"id": "656b65f6-ce71-490e-a927-79b0ab93f4cb",
	"created_at": "2026-04-06T00:08:48.216689Z",
	"updated_at": "2026-04-10T03:21:02.059635Z",
	"deleted_at": null,
	"sha1_hash": "6337b2f6904576c8e7f6b25b3a6a9e9ffa1821db",
	"title": "Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 129047,
	"plain_text": "Russian State-Sponsored Cyber Actors Gain Network Access by\r\nExploiting Default Multifactor Authentication Protocols and\r\n“PrintNightmare” Vulnerability | CISA\r\nPublished: 2022-05-02 · Archived: 2026-04-05 13:54:05 UTC\r\nSummary\r\nMultifactor Authentication (MFA): A Cybersecurity Essential\r\n• MFA is one of the most important cybersecurity practices to reduce the risk of intrusions—according to industry\r\nresearch, users who enable MFA are up to 99 percent less likely to have an account compromised.\r\n• Every organization should enforce MFA for all employees and customers, and every user should sign up for\r\nMFA when available.\r\n• Organizations that implement MFA should review default configurations and modify as necessary, to reduce the\r\nlikelihood that a sophisticated adversary can circumvent this control.\r\nThe Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are\r\nreleasing this joint Cybersecurity Advisory (CSA) to warn organizations that Russian state-sponsored cyber actors\r\nhave gained network access through exploitation of default MFA protocols and a known vulnerability. As early as\r\nMay 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA\r\nprotocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access\r\nthe victim network. The actors then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare”\r\n(CVE-2021-34527) to run arbitrary code with system privileges. Russian state-sponsored cyber actors successfully\r\nexploited the vulnerability while targeting an NGO using Cisco’s Duo MFA, enabling access to cloud and email\r\naccounts for document exfiltration.\r\nThis advisory provides observed tactics, techniques, and procedures, indicators of compromise (IOCs), and\r\nrecommendations to protect against Russian state-sponsored malicious cyber activity. FBI and CISA urge all\r\norganizations to apply the recommendations in the Mitigations section of this advisory, including the following:\r\nEnforce MFA and review configuration policies to protect against “fail open” and re-enrollment scenarios.\r\nEnsure inactive accounts are disabled uniformly across the Active Directory and MFA systems.\r\nPatch all systems. Prioritize patching for known exploited vulnerabilities.\r\nFor more general information on Russian state-sponsored malicious cyber activity, see CISA's Russia Cyber\r\nThreat Overview and Advisories webpage. For more information on the threat of Russian state-sponsored\r\nmalicious cyber actors to U.S. critical infrastructure as well as additional mitigation recommendations, see joint\r\nCSA Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure and\r\nCISA's Shields Up Technical Guidance webpage.\r\nClick here for a PDF version of this report.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-074a\r\nPage 1 of 6\n\nFor a downloadable copy of IOCs, see AA22-074A.stix.\r\nTechnical Details\r\nThreat Actor Activity\r\nNote: This advisory uses the MITRE ATT\u0026CK® for Enterprise framework, version 10. See Appendix A for a table\r\nof the threat actors’ activity mapped to MITRE ATT\u0026CK tactics and techniques.\r\nAs early as May 2021, the FBI observed Russian state-sponsored cyber actors gain access to an NGO, exploit a\r\nflaw in default MFA protocols, and move laterally to the NGO’s cloud environment.\r\nRussian state-sponsored cyber actors gained initial access [TA0001 ] to the victim organization via compromised\r\ncredentials [T1078 ] and enrolling a new device in the organization’s Duo MFA. The actors gained the\r\ncredentials [TA0006 ] via brute-force password guessing attack [T1110.001 ], allowing them access to a victim\r\naccount with a simple, predictable password. The victim account had been un-enrolled from Duo due to a long\r\nperiod of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for\r\nthe re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this\r\naccount, complete the authentication requirements, and obtain access to the victim network.  \r\nUsing the compromised account, Russian state-sponsored cyber actors performed privilege escalation [TA0004 ]\r\nvia exploitation of the “PrintNightmare” vulnerability (CVE-2021-34527) [T1068 ] to obtain administrator\r\nprivileges. The actors also modified a domain controller file, c:\\windows\\system32\\drivers\\etc\\hosts ,\r\nredirecting Duo MFA calls to localhost instead of the Duo server [T1556 ]. This change prevented the MFA\r\nservice from contacting its server to validate MFA login—this effectively disabled MFA for active domain\r\naccounts because the default policy of Duo for Windows is to “Fail open” if the MFA server is unreachable. Note:\r\n“fail open” can happen to any MFA implementation and is not exclusive to Duo.\r\nAfter effectively disabling MFA, Russian state-sponsored cyber actors were able to successfully authenticate to\r\nthe victim’s virtual private network (VPN) as non-administrator users and make Remote Desktop Protocol (RDP)\r\nconnections to Windows domain controllers [T1133 ]. The actors ran commands to obtain credentials for\r\nadditional domain accounts; then using the method described in the previous paragraph, changed the MFA\r\nconfiguration file and bypassed MFA for these newly compromised accounts. The actors leveraged mostly internal\r\nWindows utilities already present within the victim network to perform this activity.  \r\nUsing these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to\r\nmove laterally [TA0008 ] to the victim’s cloud storage and email accounts and access desired content. \r\nIndicators of Compromise\r\nRussian state-sponsored cyber actors executed the following processes:\r\nping.exe - A core Windows Operating System process used to perform the Transmission Control\r\nProtocol (TCP)/IP Ping command; used to test network connectivity to a remote host [T1018 ] and is\r\nfrequently used by actors for network discovery [TA0007 ].\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-074a\r\nPage 2 of 6\n\nregedit.exe - A standard Windows executable file that opens the built-in registry editor [T1112 ].\r\nrar.exe - A data compression, encryption, and archiving tool [T1560.001 ]. Malicious cyber actors\r\nhave traditionally sought to compromise MFA security protocols as doing so would provide access to\r\naccounts or information of interest.\r\nntdsutil.exe - A command-line tool that provides management facilities for Active Directory Domain\r\nServices. It is possible this tool was used to enumerate Active Directory user accounts [T1003.003 ].\r\nActors modified the c:\\windows\\system32\\drivers\\etc\\hosts file to prevent communication with the Duo MFA\r\nserver:\r\n127.0.0.1 api-\u003credacted\u003e.duosecurity.com\r\nThe following access device IP addresses used by the actors have been identified to date:\r\n45.32.137[.]94\r\n191.96.121[.]162\r\n173.239.198[.]46\r\n157.230.81[.]39\r\nMitigations\r\nThe FBI and CISA recommend organizations remain cognizant of the threat of state-sponsored cyber actors\r\nexploiting default MFA protocols and exfiltrating sensitive information. Organizations should:\r\nEnforce MFA for all users, without exception. Before implementing, organizations should review\r\nconfiguration policies to protect against “fail open” and re-enrollment scenarios.\r\nImplement time-out and lock-out features in response to repeated failed login attempts.\r\nEnsure inactive accounts are disabled uniformly across the Active Directory, MFA systems etc.\r\nUpdate software, including operating systems, applications, and firmware on IT network assets in a timely\r\nmanner. Prioritize patching known exploited vulnerabilities, especially critical and high vulnerabilities that\r\nallow for remote code execution or denial-of-service on internet-facing equipment.\r\nRequire all accounts with password logins (e.g., service account, admin accounts, and domain admin\r\naccounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or\r\nstored on the system where an adversary may have access.\r\nContinuously monitor network logs for suspicious activity and unauthorized or unusual login attempts.\r\nImplement security alerting policies for all changes to security-enabled accounts/groups, and alert on\r\nsuspicious process creation events ( ntdsutil , rar , regedit , etc.).\r\nNote: If a domain controller compromise is suspected, a domain-wide password reset—including service\r\naccounts, Microsoft 365 (M365) synchronization accounts, and krbtgt —will be necessary to remove the actors’\r\naccess. (For more information, see https://docs.microsoft.com/en-us/answers/questions/87978/reset-krbtgt-password.html ). Consider soliciting support from a third-party IT organization to provide subject matter\r\nexpertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on\r\nexploitation.  \r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-074a\r\nPage 3 of 6\n\nFBI and CISA also recommend organizations implement the recommendations listed below to further reduce the\r\nrisk of malicious cyber activity.\r\nSecurity Best Practices\r\nDeploy Local Administrator Password Solution (LAPS), enforce Server Message Block (SMB) Signing,\r\nrestrict Administrative privileges (local admin users, groups, etc.), and review sensitive materials on\r\ndomain controller’s SYSVOL share.\r\nEnable increased logging policies, enforce PowerShell logging, and ensure antivirus/endpoint detection and\r\nresponse (EDR) are deployed to all endpoints and enabled.\r\nRoutinely verify no unauthorized system modifications, such as additional accounts and Secure Shell\r\n(SSH) keys, have occurred to help detect a compromise. To detect these modifications, administrators can\r\nuse file integrity monitoring software that alerts an administrator or blocks unauthorized changes on the\r\nsystem. \r\nNetwork Best Practices\r\nMonitor remote access/ RDP logs and disable unused remote access/RDP ports.\r\nDeny atypical inbound activity from known anonymization services, to include commercial VPN services\r\nand The Onion Router (TOR).\r\nImplement listing policies for applications and remote access that only allow systems to execute known\r\nand permitted programs under an established security policy.\r\nRegularly audit administrative user accounts and configure access control under the concept of least\r\nprivilege.\r\nRegularly audit logs to ensure new accounts are legitimate users.\r\nScan networks for open and listening ports and mediate those that are unnecessary.\r\nMaintain historical network activity logs for at least 180 days, in case of a suspected compromise.\r\nIdentify and create offline backups for critical assets.\r\nImplement network segmentation.\r\nAutomatically update anti-virus and anti-malware solutions and conduct regular virus and malware scans.\r\nRemote Work Environment Best Practices\r\nWith an increase in remote work environments and the use of VPN services, the FBI and CISA encourage\r\norganizations to implement the following best practices to improve network security:\r\nRegularly update VPNs, network infrastructure devices, and devices used for remote work environments\r\nwith the latest software patches and security configurations.\r\nWhen possible, implement multi-factor authentication on all VPN connections. Physical security tokens are\r\nthe most secure form of MFA, followed by authenticator applications. When MFA is unavailable, require\r\nemployees engaging in remote work to use strong passwords.\r\nMonitor network traffic for unapproved and unexpected protocols.\r\nReduce potential attack surfaces by discontinuing unused VPN servers that may be used as a point of entry\r\nfor attackers.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-074a\r\nPage 4 of 6\n\nUser Awareness Best Practices\r\nCyber actors frequently use unsophisticated methods to gain initial access, which can often be mitigated by\r\nstronger employee awareness of indicators of malicious activity. The FBI and CISA recommend the following best\r\npractices to improve employee operations security when conducting business:\r\nProvide end-user awareness and training. To help prevent targeted social engineering and spearphishing\r\nscams, ensure that employees and stakeholders are aware of potential cyber threats and delivery methods.\r\nAlso, provide users with training on information security principles and techniques.\r\nInform employees of the risks associated with posting detailed career information to social or professional\r\nnetworking sites.\r\nEnsure that employees are aware of what to do and whom to contact when they see suspicious activity or\r\nsuspect a cyberattack, to help quickly and efficiently identify threats and employ mitigation strategies.\r\nInformation Requested\r\nAll organizations should report incidents and anomalous activity to the FBI via your local FBI field office or the\r\nFBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov and SayCISA@cisa.dhs.gov or by calling 1-\r\n844-Say-CISA (1-844-729-2472).\r\nAPPENDIX A: Threat Actor Tactics and Techniques\r\nSee table 1 for the threat actors’ tactics and techniques identified in this CSA. See the ATT\u0026CK for Enterprise\r\nfor all referenced threat actor tactics and techniques.\r\nTable 1: Threat Actor MITRE ATT\u0026CK Tactics and Techniques\r\nTactic Technique\r\nInitial Access [TA0001 ] Valid Accounts [T1078 ]\r\nPersistence [TA0003 ]\r\nExternal Remote Services [T1133 ]\r\nModify Authentication Process [T1556 ]\r\nPrivilege Escalation [TA0004 ]\r\nExploitation for Privilege Escalation\r\n[T1068 ]\r\nDefense Evasion [TA0005 ] Modify Registry [T1112 ]\r\nCredential Access [TA0006 ]\r\nBrute Force: Password Guessing [T1110.001 ]\r\nOS Credential Dumping: NTDS [T1003.003 ]\r\nDiscovery [TA0007 ] Remote System Discovery [T1018 ]\r\nLateral Movement [TA0008 ]   \r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-074a\r\nPage 5 of 6\n\nTactic Technique\r\nCollection [TA0009 ] Archive Collected Data: Archive via Utility [T1560.001 ]\r\nRevisions\r\nMarch 15, 2022: Initial Version\r\nSource: https://www.cisa.gov/uscert/ncas/alerts/aa22-074a\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-074a\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://www.cisa.gov/uscert/ncas/alerts/aa22-074a"
	],
	"report_names": [
		"aa22-074a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434128,
	"ts_updated_at": 1775791262,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6337b2f6904576c8e7f6b25b3a6a9e9ffa1821db.pdf",
		"text": "https://archive.orkl.eu/6337b2f6904576c8e7f6b25b3a6a9e9ffa1821db.txt",
		"img": "https://archive.orkl.eu/6337b2f6904576c8e7f6b25b3a6a9e9ffa1821db.jpg"
	}
}