The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) to warn organisations that Russian state-sponsored cyber actors have gained network access through the exploitation of default Multi-Factor Authentication (MFA) protocols and a known vulnerability. As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a non-governmental organisation (NGO), allowing them to enrol a new device for MFA and access the victim network. The actors then exploited a critical Windows Print Spooler vulnerability, ‘PrintNightmare’ (CVE-2021-34527) to run arbitrary code with system privileges. Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration.
Roger Grimes, Data-Driven Defence Evangelist at KnowBe4, said: “This is due to the fact that Duo MFA ‘fails open’ when the MFA device can’t contact the Duo server. If a hacker can intentionally prevent the Duo MFA instance from connecting to the Duo MFA server, by default, Duo ‘gets out of the way’ and lets the user attempting to use it, get in. Duo configures their MFA instances that way by default so that if there is a network connection issue or DNS issue, the administrator using the Duo MFA can still log in and take care of the problem.
“Duo is assuming that the admin may be trying to log in to troubleshoot some network connection issue and doesn’t want a network connection issue to prevent them from getting in. It (i.e. the fail-open outcome) is a default configuration setting, but can be easily disabled by the admin configuring Duo MFA to choose the non-default option of ‘fail close’. It’s literally just a checkmark option difference.
“Duo’s fail-open default is a known issue and has been abused before. I write about it in my book, Hacking Multifactor Authentication, and recommend that Duo change the default to ‘fail close’. That’s the only reasonable, secure, default option. At the same time, I can understand why Duo did it. They likely had admins troubleshooting network connection issues or involved in scenarios where network connection issues were a problem, and Duo-using admins could not log in using Duo MFA because of it. Some of them complained and Duo changed the default option so it didn’t prevent the admins from logging in to troubleshoot the network connection issues. Duo is stuck between a rock and a hard place. You want to give both security and make customers happy. And when forced to make the choice, Duo defaults to happier customers; believing that customers wanting a different configuration setting can simply change the option. Unfortunately, defaults matter. And most customers will accept most defaults and assume it protects them better. In this case, it does not. And viola! Now you have an easy to prevent vulnerability that is known and used by hackers.”
Click below to share this article
