CISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity
Advisory that details how Russian state-sponsored cyber actors
accessed a network with misconfigured default multifactor authentication (MFA)
protocols. The actors then exploited a critical Windows Print Spooler
vulnerability, “PrintNightmare” (CVE-2021-34527), to run arbitrary code with
system privileges. The advisory provides observed tactics, techniques, and
procedures, as well as indicators of compromise and mitigations to protect
against this threat.
CISA encourages users and administrators to review AA22-074A: Russian
State-Sponsored Cyber Actors Gain Network Access by Exploiting Default
Multifactor Authentication Protocols and “PrintNightmare” Vulnerability.
For general information on Russian state-sponsored malicious cyber activity,
see cisa.gov/Russia. For more
information on the threat of Russian state-sponsored malicious cyber actors to
U.S. critical infrastructure, as well as additional mitigation recommendations,
see AA22-011A:
Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S.
Critical Infrastructure and cisa.gov/shields-up.