When Misconfigurations Open the Door to Russian Attackers

Misconfigurations are one of the most common causes of data breaches. According to the Identity Theft Resource Center (ITRC), configuration mistakes were responsible for a third of data breaches that resulted from human error in 2021. Some of these incidents involved misconfigured firewalls that allowed access to internal systems. Others involved unauthorized access to corporate cloud systems and servers.

Misconfigurations and State-Sponsored Attacks

Looking ahead, misconfigurations won't likely diminish in prevalence. In fact, Gartner predicted that 99% of cloud security incidents "will be the customer's fault" as a result of misconfigurations by 2023, per Infosecurity Magazine. Threat actors are just too familiar with misconfigurations to give them up as an attack vector. This holds true even for nation-state actors like those in Russia.

To illustrate, let’s examine a couple of recent cases where state-sponsored actors from Russia used misconfigurations to their advantage.

Preying on an NGO with PrintNightmare

In mid-March, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) announced that it had detected malicious online activity tracing back to May 2021. The attack began when state-sponsored Russian threat actors exploited a misconfigured account set to default multi-factor authentication (MFA) protocols at a non-governmental organization (NGO). The attackers used this activity to enroll a new device into the victim's MFA scheme and access its network. 

At that point, the malicious actors exploited PrintNightmare. Detected as CVE-2021-34526, PrintNightmare refers to a Windows Print Spooler vulnerability that enables someone to execute arbitrary code with system privileges. The Russian attackers ultimately abused the flaw using a popular authenticator app. In doing so, they gained access to cloud and email accounts for the purpose of exfiltrating data from the NGO.

Interruption of a Satellite Broadband Service

Around the same time as CISA's alert, American communications company Viasat announced that a cyber-attack against its high-throughput telecommunications satellite network had disrupted its KA-SAT consumer satellite broadband service. While the company said that the incident hadn't affected most of its users, it clarified that the cyber-attack had affected several thousand customers in Ukraine and other fixed broadband customers in Europe.

In the process of investigating the cyber-attack, Viasat learned that threat actors had gained access to a trusted management segment of the KA-SAT network by exploiting a misconfiguration in a VPN appliance. They had then moved laterally to another privileged network segment before executing management commands across numerous residential modems. Those commands overwrote their flash memory and prevented them from connecting to the network.

How Organizations Can Defend Against Russian Attackers

Organizations need a way to harden their systems, eliminate security misconfigurations, and thereby defend themselves against Russian attackers. This is where CIS SecureSuite Membership comes in. Members receive access to the CIS Benchmarks for eliminating misconfigurations by hardening specific technologies in their environments. They can also access tools that help to coordinate and optimize their hardening efforts. These tools provide help with the following:

• Evaluating conformance to the recommendations in the CIS Benchmarks, thus saving valuable time and resources in the process. Learn more about CIS-CAT Pro.
• Automating the process of meeting the recommendations of a CIS Benchmark by importing GPOs into their group policy management console and pushing them out to their machines. Learn more about CIS Build Kits.
• Downloading the CIS Benchmarks and tailoring their guidance based on evolving security needs.
• Accessing CIS Benchmark Communities, signing up for webinars and other trainings, as well as accessing other resources such as the CIS Critical Security Controls (CIS Controls). Learn more about CIS WorkBench.
• Tracking, prioritizing, and measuring your implementation of the CIS Controls, which include CIS Control 4: Secure Configuration of Enterprise Assets and Software. Learn more about CIS Controls Self Assessment Tool (CSAT) Pro.

In addition to the tools discussed above, organizations can use the guidance released by CIS along with the Multi-State and Elections Infrastructure Information Sharing Analysis Centers (the MS-ISAC and the EI-ISAC) to further protect themselves against potential Russian cyber-attacks. The guidance is specific to U.S. State, Local, Tribal, and Territorial (SLTT) government organizations, but much of it applies to other entities, as well. These recommendations include turning on MFA for any system that offers it, enabling logging on to any device that is capable, and developing or updating an incident response (IR) plan.

Shutting Down Misconfigurations

Russian attackers and other malicious actors will continue to seize upon misconfigurations whenever they find them. This is why organizations need to limit the incidence of misconfigurations in their environments as much as possible. Using a CIS SecureSuite Membership, organizations can automate the process of assessing their current configurations and implementing more secure configurations. These efforts create the foundation for a robust cyber defense program going forward.