Dive Brief:
- The FBI and Cybersecurity and Infrastructure Security Agency on Tuesday warned U.S. organizations about Russian state-sponsored threat actors exploiting the PrintNightmare vulnerability, as well as misconfigured account settings used in multifactor authentication (MFA) to launch attacks.
- The threat actors were able to launch an attack against a non-government organization (NGO) dating back to May 2021 using a misconfigured MFA setting set to default. They used the flaw to enroll a new device and gained network access, according to the bulletin. The attackers later exploited the PrintNightmare vulnerability to steal documents after gaining access to the cloud and email accounts.
- Separately, ESET researchers are warning about a third data wiping malware called CaddyWiper, which destroys user data and partition information. The wiper was found Monday on several dozen systems in a limited set of organizations in Ukraine, but does not share code similarities with either HermeticWiper or IsaacWiper.
Dive Insight:
The new cyberthreats emerged as the Russian invasion of Ukraine continued into a third week, and U.S. national security security experts briefed Congress on threats to the homeland.
Officials have been on heightened alert, watching for state-sponsored actors or affiliated criminal organizations to lash out at critical infrastructure providers or government targets in frontline NATO countries or even the U.S. in retaliation for the crippling economic sanctions against Russia.
CISA urged organizations to make sure their MFA settings were properly configured to protect against "fail-open" scenarios and take other steps, including updating software and disabling unused accounts.
CISA Director Jen Easterly said the agency is a big believer in MFA, saying it is one of the most effective means of mitigating a potential attack.
"This advisory demonstrates the imperative that organizations configure MFA properly to maximize effectiveness," Easterly said in the announcement.
Bryan Vorndran, assistant director of the FBI Cyber Division, urged organizations to contact the agency or CISA if they experience any similar attempts at exploitation.
The timing of the CISA/FBI advisory on the PrintNightmare attacks, however, raises questions as to whether there is an active ongoing threat, or if officials simply made a decision to raise awareness due to the Ukraine war.