Severity
Medium
Analysis Summary
Russian Nation-State threat actors have started exploiting default MFA protocols and PrintNightmare (CVE-2021-34527) vulnerability to run arbitrary codes with elevated privileges. The APT group used compromised credentials to gain access to victim organization. The credentials were obtained through brute-force attacks. From there they gained elevated privileges using the PrintNightmare vulnerability. They were also able to successfully authenticate to the Victim’s VPN as non-administrator users and make RDP connections to Windows domain controllers.
Impact
- Credential Theft
- Financial Loss
- Privilege Escalation
- System Compromise
Indicators of Compromise
CVE
- CVE-2021-34527
Filename
- ping[.]exe
- regedit[.]exe
- rar[.]exe
- ntdsutil[.]exe
IP
- 173[.]239[.]198[.]46
Remediation
- Logging – Log your eCommerce environment’s network activity and web server activity.
- Passwords – Implement strong passwords.
- Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
- WAF – Set up a Web Application Firewall with rules to block suspicious and malicious requests.
- Patch – Patch and upgrade any platforms and software timely. Prioritize patching known exploited vulnerabilities.
- 2FA – Enable two-factor authentication.
- Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner.