The US authorities have issued a new inform warning of Russian point out-backed malicious activity involving exploiting a well-known bug in Windows Print Spooler learned previous calendar year.
The US Cybersecurity and Infrastructure Security Company (CISA) explained that Russian actors experienced been spotted exploiting the PrintNightmare bug (CVE-2021-34527) back in Could 2021, targeting an unnamed NGO.
This was section of an attack chain that commenced when they exploited a misconfigured account established to default multi-factor authentication (MFA) protocols, allowing for them to enroll a new system for MFA and accessibility the victim’s network.
PrintNightmare then enabled the attackers to operate arbitrary code with program privileges and subsequently access cloud and email accounts for doc exfiltration.
The warn lists multiple mitigations that CISA urges all corporations to utilize, such as imposing MFA and reviewing configuration policies to guard versus “fail open” and re-enrollment eventualities.
It also asks organizations to make sure inactive accounts are disabled throughout Energetic Listing and MFA devices and that patches are prioritized for recognised exploited vulnerabilities.
“At CISA, we are excellent believers in MFA. It continues to be one particular of the most successful measures persons and corporations can consider to decrease their risk to destructive cyber exercise. This advisory demonstrates the crucial that corporations configure MFA thoroughly to maximize effectiveness,” stated CISA director Jen Easterly.
“Now, a lot more than at any time, companies ought to put their shields up to safeguard in opposition to cyber-intrusions, which usually means implementing the mitigations in this advisory including implementing MFA for all buyers without exception, patching regarded exploited vulnerabilities, and ensuring MFA is executed securely.”
The PrintNightmare zero-day was initial discovered unintentionally by Chinese researchers in July 2021. It is a distant code execution vulnerability that exists when the Windows Print Spooler assistance improperly performs privileged file operations, enabling attackers to operate arbitrary with procedure privileges.
Some pieces of this article are sourced from: