Skip to main content

Back to Blog

CISA: The Risk of MFA Without Improving Password Security

The recent CISA Alert AA22-074A describes how Russian state-sponsored cyber actors gained access to a US NGO using compromised credentials and a flaw in default MFA protocols. This alert may help cybersecurity professionals understand that MFA alone is insufficient and the importance of securing each authentication layer.

What happened, exactly?
As early as May 2021, the FBI observed Russian state-sponsored cyber actors gain access to an NGO, exploit a flaw in default MFA protocols, and move laterally to the NGO’s cloud environment.

How did the threat actors begin the attack?
The actors had initially obtained the credentials via a brute-force password attack, and because the individual user’s account had been using a simple, predictable password, the attack was successful.

Why did MFA not prevent access?
The victim account had been un-enrolled from Duo MFA due to a long period of inactivity but was not disabled in the Active Directory.

Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts. This meant that the cyber attackers could, and did, easily enroll a new device for the account, allowing them complete access to the victim’s network.

From there, the cybercriminals were able to perform privilege escalation using the ‘PrintNightmare’ vulnerability. Once they had administrator privileges, additional cloud network takeover was much easier. Additionally, the actors were able to redirect Duo MFA calls, preventing the service from contacting its server. This effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to “Fail open” if the MFA server is unreachable.

How can this type of attack be prevented?
The CISA alert underscores the flaw in thinking that device-based MFA alone is a magic bullet for cybersecurity problems. On the contrary, Multi-Factor Authentication (MFA) as a strong authentication method requires two or more appropriately hardened factors.

In the alert, both the FBI and CISA recommend that organizations also take the following actions to mitigate this issue:

  • Review MFA configuration policies
  • Implement time-out and lock-out features in response to repeated failed login attempts.
  • Ensure inactive accounts are disabled uniformly
  • Update software and patches
  • Continuously monitor network logs for suspicious activity
  • Require all accounts with password logins to have strong, unique passwords, and prevent password reuse

How can password security be improved?
As illustrated by the scenario in the alert, when users choose weak and common passwords, they are more likely to be victims of brute-force attacks.

Password reuse is another vulnerability. Users frequently employ the same or very similar passwords across accounts. This makes it much easier for bad actors to use password spraying or similar attacks successfully.

To combat existing password vulnerabilities within Active Directory, administrators can refer to NIST guidelines on password security. This includes preventing the reuse of compromised passwords and detecting when good passwords become compromised.