Rewterz Threat Alert – Russian Nation-State Actors Exploiting MFA Protocols and PrintNightmare – Russian-Ukrainian Cyber Warfare

Severity

Medium

Analysis Summary

Russian Nation-State threat actors have started exploiting default MFA protocols and PrintNightmare (CVE-2021-34527) vulnerability to run arbitrary codes with elevated privileges. The APT group used compromised credentials to gain access to victim organization. The credentials were obtained through brute-force attacks. From there they gained elevated privileges using the PrintNightmare vulnerability. They were also able to successfully authenticate to the Victim’s VPN as non-administrator users and make RDP connections to Windows domain controllers.

Impact

• Credential Theft
• Financial Loss
• Privilege Escalation
• System Compromise

Indicators of Compromise

CVE

• CVE-2021-34527

Filename

• ping[.]exe
• regedit[.]exe
• rar[.]exe
• ntdsutil[.]exe

IP

• 173[.]239[.]198[.]46

Remediation

• Logging – Log your eCommerce environment’s network activity and web server activity.
• Passwords – Implement strong passwords.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• WAF – Set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Patch – Patch and upgrade any platforms and software timely. Prioritize patching known exploited vulnerabilities.
• 2FA – Enable two-factor authentication.
• Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner.