If you have an authentication system that you consider so unimportant that your policy allows you to skip it for convenience, why have it at all? Build the system to be suitably robust that it can fail closed, and devise a robust procedure for recovering it on the rare occasions that it does go wrong. Failing open means that if the system breaks, it will starts letting everyone bypass that part of the authentication process, instead of keeping everyone out until the problem is fixed. Review unused accounts regularly and get rid of any that are no longer needed. Make sure that you have a clear and complete process for removing users and their accounts if they leave the company, or if they switch to a different part of the organisation with a different network. Fully disable or remove dud accounts as soon as you can.
#Sophos download link how to
If your users find good passwords hard to invent and remember (and most people do, leading them to fall back on obvious words or phrases instead), consider investing in a password manager for everyone, and showing your staff how to use it. What’s important is how the attackers got in, and how the infiltration could have been prevented. Those details would have been interesting to read about, to be sure, but they’re not critical to the story.
Deliberately broke the 2FA system by messing with its configuration, so it no longer demanded 2FA reponses from anyone.Īt this point, as you can imagine, the attackers were able to add new accounts without worrying about 2FA wander around the network riffle through organisational data stored in the cloud and snoop on email accounts.ĬISA didn’t give any information about how much data was accessed, how long the attackers stayed inside the network, or what, if anything, was exfiltrated. 
Exploited the PrintNightmare vulnerability to get Domain Administrator access. Logged in as this user, sailing past the 2FA part thanks to re-enrolling the account with their own device. Re-enrolled the account into the 2FA system, as though the original user were reactivating it. Found an account that had been left inactive for ages, instead of being removed. Got an initial foothold due to a poorly-chosen password. The attack dates back to May 2021, and the victim was an non-government organisation, or NGO, un-named by CISA.Īs far as we can tell, and briefly summarised, the attackers: To sidestep rumours based on the title alone (which some readers might interpret as an attack that is going on right now), and instead to reinforce the lessons that CISA hopes this incident can teach us, here’s what you need to know.įortunately, the overall story is simply and quickly told. The US Cybersecurity and Infrastructure Security Agency (CISA) has just put out a bulletin numbered AA22-074A, with the dramatic title Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability.
0 kommentar(er)
