Russian actors circumvent the 2FA, what happened and how to avoid it

The attack dates back to May 2021 and the victim was a non-governmental organisation. Here is how the attackers, in a nutshell, managed to circumvent the system:

• They were lucky that the password was wrongly chosen
• Found an account that had been left active for years
• Re-registering the account in the 2FA system, as if the original user was re-activating it
• Logged in as this user
• PrintNightmare vulnerability exploited to gain domain administrator access
• Broken the 2FA system by altering its configuration so that it no longer requires 2FA responses from anyone

Once inside, they were able to add new accounts, roam the network, browse organisational data in the cloud and browse e-mail accounts.

How can this type of infiltration be prevented?

• Choosing the right passwords (visit our social on secure password tips)
• Disable or completely remove unused accounts
• Do not set the 2FA to 'fail open'.
• React quickly if key security features of the system stop working
• Assigning staff a single point to report problems
• Regularly monitor system logs and risky behaviour such as the creation of new accounts
• Always update everything so that you are not exposed to unwanted bugs

If you do not have the experience or time to maintain an ongoing threat response yourself, consider partnering with a service such as Sophos Managed Threat Response.

We help you take care of the tasks you are struggling to keep up with because of all the other daily demands IT throws at you.

Backdoors are also dangerous for our computer security, learn more here.