How to Prevent Cyber Actors from Bypassing Two-Factor Authentication Implementation
On March 15, 2022, a US government flash bulletin was published describing how state-sponsored cyber actors were able to exploit certain authentication workflows in combination with PrintNightmare vulnerability (CVE-2021-34527) to gain administrative access to Windows domain controllers. Once administrative access was established, the attacker was able to change two-factor authentication (2FA) configurations and eventually bypass 2FA to gain access to cloud storage services.
This scenario did not leverage or reveal a vulnerability in Duo software or infrastructure but made use of a combination of configurations in 2FA (in this case Duo 2FA) and Windows native authentication workflows. This scenario can be mitigated through a policy configuration in Duo’s Admin Panel (details in the Recommendations section below). Duo recommends reviewing your configuration to make sure it meets your current business and security needs.
How Could a Potential Compromise Take Place?
According to the US government agency’s bulletin, cyber actors were able to obtain access to primary credentials for users that did not have an enrolled 2FA device. The actors were then able to enroll their own 2FA device. Once enrolled, they used the newly enrolled authentication device to compromise a Windows system with Duo Authentication for Windows Logon installed. Once logged into Windows, threat actors exploited an unpatched PrintNightmare vulnerability (CVE-2021-34527) to gain administrative privileges and redirect 2FA calls away from Duo’s cloud service, effectively bypassing 2FA in order to gain access to the victim’s files in the cloud service.
What Is the Impact of the Compromise?
The impact of the reported incident was the threat actor gaining access to the victim’s cloud storage and email environment.
Allowing 2FA self-enrollment for new and returning users is an industry standard. All major 2FA providers allow enrollment of unenrolled users by default without any additional measures. The reason for this is to ensure security while also reducing friction for IT support and end users.
We recommend customers check their account status immediately. Duo Administrators can log in to the Duo Admin Panel and run the Duo Authentication Log report which will show them all authentications, including new device enrollments, for the previous 180 days.
In addition, we encourage customers to develop strategies and systems to maintain ready access to Authentication Logs beyond 180 days. Customers can use a SIEM connector or our Admin API to constantly ingest Authentication Logs into third-party systems. A more manual but less technical mechanism would be to set a calendar reminder to export 180 days' worth of logs to CSV/JSON via the Admin Panel on a regular basis.
What Do You Need to Do to Prevent Being Compromised?
The threat actor scenario took advantage of configurations that are industry-standard and have proven benefits for our customers and users. In that regard, there are several approaches to take when facing a situation like this. Below are several recommendations as well as links to the detailed steps on how implement those recommendations in accordance with what works best for you and your users.
General Best Practices
Require complex or strong primary user passwords
Configure password lockout policies to thwart brute-force password attacks
Ensure all your systems have up-to-date security patches
Utilize file integrity monitoring and set alerts on any modification of files on the Domain Controller
Specific Duo Recommendations
Permit self-enrollment for fewer trusted applications and otherwise change the New User Policy from the "Require enrollment” default setting to “Deny Access”. Follow this guide for changing the New User Policy setting.
Consider setting Duo applications with configurable fail modes to “fail closed” or “fail secure” in the event that they cannot contact Duo’s service. Example: How can I configure the fail mode for Windows Logon console and RDP logins?