Site icon Sophos News

CISA warning: “Russian actors bypassed 2FA” – what happened and how to avoid it

The US Cybersecurity and Infrastructure Security Agency (CISA) has just put out a bulletin numbered AA22-074A, with the dramatic title Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability.

To sidestep rumours based on the title alone (which some readers might interpret as an attack that is going on right now), and instead to reinforce the lessons that CISA hopes this incident can teach us, here’s what you need to know.

Fortunately, the overall story is simply and quickly told.

The attack dates back to May 2021, and the victim was an non-government organisation, or NGO, un-named by CISA.

As far as we can tell, and briefly summarised, the attackers:

At this point, as you can imagine, the attackers were able to add new accounts without worrying about 2FA; wander around the network; riffle through organisational data stored in the cloud; and snoop on email accounts.

CISA didn’t give any information about how much data was accessed, how long the attackers stayed inside the network, or what, if anything, was exfiltrated.

Those details would have been interesting to read about, to be sure, but they’re not critical to the story.

What’s important is how the attackers got in, and how the infiltration could have been prevented.

What to do?

Our recommendations are:

And, of course:

Things to remember

The title of this CISA bulletin may sound dramatic, but this was not a new type of attack; it did not rely on any previously unknown flaws in 2FA; and it did not rely on hard-to-spot exploits or brand new hacking tools.

(Although the attackers did indeed use the PrintNightmare exploit in this case, they were still able to get inside the network without it.)

Remember that Proactive SecOps + Strong monitoring + Fast response + Safe configuration choices = A better prospect of stopping attackers in time.

If you don’t have the experience or the time to maintain ongoing threat reponse by yourself, consider partnering with a service like Sophos Managed Threat Response.

We help you take care of the activities you’re struggling to keep up with because of all all the other daily demands that IT dumps on your plate.


Not enough time or staff?
Learn more about Sophos Managed Detection and Response:
24/7 threat hunting, detection, and response  ▶


Exit mobile version