CISA Releases Advisory About Multifactor Authentication Bypass with Duo — Duo Responds

Posted in: Resources » Cyber Heads-up

TL;DR

Russian state-sponsored attackers compromised an NGO by exploiting the weak credentials of an inactive user, default settings in the Duo multifactor authentication service, and PrintNightmare to take over the environment. The way to protect organizations is to implement good cyber hygiene and modifying a couple of default settings in Duo.

Overview

On Tuesday, March 15, 2022, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released alert AA22-074A titled, “Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and ‘PrintNightmare’ Vulnerability”.

In the alert, CISA describes how threat actors compromised an organization by brute forcing an account with a weak password. The account was tied to a user who hadn’t been with the organization for quite some time and whose account was not ever deactivated in Microsoft Active Directory.  The organization had a Duo feature that deactivates inactive users automatically, so when the attackers used that account to log in, they were prompted to enroll in Duo, which they could do using their own smart phones. The attackers were then able to exploit the PrintNightmare vulnerability (CVE-2021-34527) to obtain administrator privileges, disable Duo and move further into the environment unimpeded.

Duo sent an email to all customers providing them with guidance on a series of mitigations, some of which we endorse, and others which may not be easily implemented or relevant in the context of all use cases. We won’t get into all of them in detail, but the ones we feel are most useful to the broadest spectrum of organizations are reflected in our take on the situation. Unfortunately, they didn’t post the contents of the email to their web site or social media so we can’t link to it here.

Assura’s Take

One of the reasons why this attack worked was that the victim’s Duo was configured on their Window’s servers to “fail open” — that is, to permit users to authenticate even though the attacker rendered the server unable to communicate with the Duo service. This is the default behavior of the Duo Windows agent. We recommend that administrators configure their Duo Windows/RDP agents to “fail secure” with offline authentication enabled. That way, if an attacker does manage to prevent communications to the Duo API servers, administrators are still able to log in via the Duo Windows offline authentication facility.

We also recommend that administrators:

  1. Ensure that users are required to have strong passwords (>15 characters long)
  2. Disable inactive user expiration in Duo
  3. Disable unused accounts in Active Directory, Azure Active Directory, and OpenLDAP and remove them after not more than 90 days of inactivity
  4. Apply the PrintNightmare mitigations by applying Microsoft’s security updates for the vulnerability and the mitigations discussed above
  5. Regularly (at least once every 30 days) review Duo enrollment logs to identify enrollment of smart devices from unexpected countries

MFA strengthens identification and authentication, but it is not a substitute for good password management, vigilant account administration, and applying security updates. Rather, MFA works in concert with those other activities.

If you’re an Assura managed Duo client, our Security Operations Center is reviewing Duo enrollment logs on a regular basis. As always, if you have any questions about this, feel free to contact us through our website.