The Duo Blog

How to Prevent Cyber Actors from Bypassing Two-Factor Authentication Implementation

This article has been indexed from

The Duo Blog

On March 15, 2022, a US government flash bulletin was published describing how state-sponsored cyber actors were able to exploit certain authentication workflows in combination with PrintNightmare vulnerability (CVE-2021-34527) to gain administrative access to Windows domain controllers. Once administrative access was established, the attacker was able to change two-factor authentication (2FA) configurations and eventually bypass 2FA to gain access to cloud storage services. 

This scenario did not leverage or reveal a vulnerability in Duo software or infrastructure but made use of a combination of configurations in 2FA (in this case Duo 2FA) and Windows native authentication workflows. This scenario can be mitigated through a policy configuration in Duo’s Admin Panel (details in the Recommendations section below). Duo recommends reviewing your configuration to make sure it meets your current business and security needs.   

How Could a Potential Compromise Take Place? 

According to the US government agency’s bulletin, cyber actors were able to obtain access to primary credentials for users that did not have an enrolled 2FA device. The actors were then able to enroll their own 2FA device. Once enrolled, they used the newly enrolled authentication device to compromise a Windows system with Duo Authentication for Windows Logon installed. Once logged into Windows, threat actors exploited an unpatched PrintNightmare vulnerability (CVE-2021-34527) to gain administrative privileges and redirect 2FA calls away from Duo’s cloud service, effectively bypassing 2FA in order to gain access to the victim’s files in the cloud service. 

What Is the Impact of the Compromise? 

The impact of the reported incident was the threat actor gaining access to the victim’s cloud storage and email environment.  

Allowing 2FA self-enrollment for new and returning users is an industry standard. All major 2FA providers allow enrollment of unenrolled users by default without any additional measures. The reason for this is to ensure security while also reducing friction for IT support and end users.  <
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

Read the original article: