US and UK cybersecurity agencies published a joint alert about a series of large-scale brute-force conducted by the Russia-linked APT28 group.
The joint alert was published by the US National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), and the UK’s National Cyber Security Centre (NCSC).
The attacks took place between mid-2019 and early 2021, the Russia-linked threat actor used a Kubernetes cluster to conduct anonymized brute force access against hundreds of government organizations and businesses worldwide, including think tanks, defense contractors, energy firms.
The attackers remained under the radar by routing brute force attacks through the TOR network and commercial VPN services, including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN. Authentication attempts that did not use TOR or a VPN service were also occasionally delivered directly to targets from nodes in the Kubernetes cluster
The government experts attribute the attacks to Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165.
““Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments” details how the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) has targeted hundreds of U.S. and foreign organizations using brute force access to penetrate government and private sector victim networks.” reads the advisory published by the NSA.
The advisory provided details about the tactics, techniques, and procedures (TTPs) associated with GTsSS.
The APT group mainly targeted organizations using Microsoft Office 365 cloud services, along with targets using other service providers and on-premises email servers. Experts speculate the activity is still ongoing.
The attackers carried out brute force attacks to discover valid credentials, in some cases, they also used credentials leaked in past breaches or guessed with variations of the most common passwords. Expert pointed out that the GTsSS uniquely leveraged software containers to easily scale its brute force attempts.
Upon discovering valid credentials, the GTsSS exploited various publicly known vulnerabilities (Microsoft Exchange flaws CVE-2020-0688 and CVE-2020-17144) to gain further access into target networks. The nation-state actors were able to evade defenses, collect and exfiltrate various information in the networks.
“The actors used a combination of known TTPs in addition to their password spray operations to exploit target networks, access additional credentials, move laterally, and collect, stage, and exfiltrate data, as illustrated in the figure below.” reads the joint report. “The actors used a variety of protocols, including HTTP(S), IMAP(S), POP3, and NTLM. The actors also utilized different combinations of defense evasion TTPs in an attempt to disguise some components of their operations; however, many detection opportunities remain viable to identify the malicious activity.”
The report also includes indicators of compromise (IoCs) for the brute-force attacks conducted by the APT28 cyberespionage group. The document also provides Yare Rules and mitigations.
(SecurityAffairs – hacking, Russia)