On March 15, 2022, a US government flash bulletin was published describing how state-sponsored cyber actors were able to exploit certain authentication workflows in combination with PrintNightmare vulnerability (CVE-2021-34527) to gain administrative access to Windows domain controllers. Once administrative access was established, the attacker was able to change two-factor authentication (2FA) configurations and eventually bypass 2FA to gain access to cloud storage services.
This scenario did not leverage or reveal a vulnerability in Duo software or infrastructure but made use of a combination of configurations in 2FA (in this case Duo 2FA) and Windows native authentication workflows. This scenario can be mitigated through a policy configuration in Duo’s Admin Panel (details in the blog here). Duo recommends reviewing your configuration to make sure it meets your current business and security needs.
This information was provided to Duo customers on March 15 via email.