When Misconfigurations Open the Door to Russian Attackers

Misconfigurations are one of the most common causes of data breaches. According to the Identity Theft Resource Center (ITRC), configuration mistakes were responsible for a third of data breaches that resulted from human error in 2021. Some of these incidents involved misconfigured firewalls that allowed access to internal systems. Others involved unauthorized access to corporate cloud systems and servers.

Misconfigurations and State-Sponsored Attacks

Looking ahead, misconfigurations won't likely diminish in prevalence. In fact, Gartner predicted that 99% of cloud security incidents "will be the customer's fault" as a result of misconfigurations by 2023, per Infosecurity Magazine. Threat actors are just too familiar with misconfigurations to give them up as an attack vector. This holds true even for nation-state actors like those in Russia.

To illustrate, let’s examine a couple of recent cases where state-sponsored actors from Russia used misconfigurations to their advantage.

Preying on an NGO with PrintNightmare

In mid-March, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) announced that it had detected malicious online activity tracing back to May 2021. The attack began when state-sponsored Russian threat actors exploited a misconfigured account set to default multi-factor authentication (MFA) protocols at a non-governmental organization (NGO). The attackers used this activity to enroll a new device into the victim's MFA scheme and access its network. 

At that point, the malicious actors exploited PrintNightmare. Detected as CVE-2021-34526, PrintNightmare refers to a Windows Print Spooler vulnerability that enables someone to execute arbitrary code with system privileges. The Russian attackers ultimately abused the flaw using a popular authenticator app. In doing so, they gained access to cloud and email accounts for the purpose of exfiltrating data from the NGO.

Interruption of a Satellite Broadband Service

Around the same time as CISA's alert, American communications company Viasat announced that a cyber-attack against its high-throughput telecommunications satellite network had disrupted its KA-SAT consumer satellite broadband service. While the company said that the incident hadn't affected most of its users, it clarified that the cyber-attack had affected several thousand customers in Ukraine and other fixed broadband customers in Europe.

In the process of investigating the cyber-attack, Viasat learned that threat actors had gained access to a trusted management segment of the KA-SAT network by exploiting a misconfiguration in a VPN appliance. They had then moved laterally to another privileged network segment before executing management commands across numerous residential modems. Those commands overwrote their flash memory and prevented them from connecting to the network.

How Organizations Can Defend Against Russian Attackers

Organizations need a way to harden their systems, eliminate security misconfigurations, and thereby defend themselves against Russian attackers. This is where CIS SecureSuite Membership comes in. Members receive access to the CIS Benchmarks for eliminating misconfigurations by hardening specific technologies in their environments. They can also access tools that help to coordinate and optimize their hardening efforts. These tools provide help with the following:

In addition to the tools discussed above, organizations can use the guidance released by CIS along with the Multi-State and Elections Infrastructure Information Sharing Analysis Centers (the MS-ISAC and the EI-ISAC) to further protect themselves against potential Russian cyber-attacks. The guidance is specific to U.S. State, Local, Tribal, and Territorial (SLTT) government organizations, but much of it applies to other entities, as well. These recommendations include turning on MFA for any system that offers it, enabling logging on to any device that is capable, and developing or updating an incident response (IR) plan.

Shutting Down Misconfigurations

Russian attackers and other malicious actors will continue to seize upon misconfigurations whenever they find them. This is why organizations need to limit the incidence of misconfigurations in their environments as much as possible. Using a CIS SecureSuite Membership, organizations can automate the process of assessing their current configurations and implementing more secure configurations. These efforts create the foundation for a robust cyber defense program going forward.