The cybersecurity agencies of the United States and the United Kingdom issued a report entitled “Russian GRU Launches Global Violent Operations to Destroy Enterprises and Cloud Environment” on July 1, local time, warning relevant organizations to pay attention to ongoing global networks involving brute force attacks. action. A large number of governments and militaries, political consultants and political parties, defense contractors, energy companies, logistics companies, think tanks, universities, law firms and other institutions in the United States and Europe have been targeted by attackers.
The use of brute force cracking techniques to break through network defenses is not new in itself. However, GTsSS uniquely uses software containers and distributed clustering technology to easily expand its brute force cracking capabilities. Combining exploits and obtained login credentials, it shows a powerful attack capability.
The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the UK National Cyber Security Center (NCSC) attribute the action to the Russian government, especially with the Russian General Staff A cyber espionage organization related to the Ministry of Military Intelligence (GRU).
This threat organization is tracked as APT28, Fancy Bear, Pawn Storm, sedit, Strontium and Tsar Team, and it has targeted many organizations around the world.
This report stated that Russian hackers used brute force attacks. Hundreds of organizations around the world have discovered brute force access attempts, especially in the United States and Europe. Target organizations include the government and military, political consultants and political parties, defense contractors, energy companies, logistics companies, think tanks, universities, law firms, and media companies.
The report states, “Malicious cyber actors use brute-force cracking techniques to discover valid credentials, usually through a large number of login attempts, sometimes through previously leaked usernames and passwords, or through guessing variants of the most common passwords. Although brute-force cracking The technology is not new, but GTsSS (the 85th Special Service Center of the Military Intelligence Agency (GRU) of the Russian General Staff) uniquely uses software containers to easily expand its brute force cracking capabilities.”
In addition to using password spraying operations, participants also used a combination of known TTPs to exploit the target network, access additional credentials, move laterally, collect, process, and steal data. Threat actors use various protocols, including HTTP(S), IMAP(S), POP3, and NTLM. Threat actors also use different combinations of defenses to circumvent TTPs in an attempt to obscure some of their components; however, there are still many detection opportunities to identify malicious activities.
This wave of attacks seems to have begun in mid-2019. It used Kubernetes clusters to conduct what has been described as “widespread, distributed and anonymous brute force intrusion attempts.” Although some of these attacks are provided directly from the nodes in this cluster, in most cases, the attacks are carried out through the Tor network and various commercial VPN services.
Combine brute force attacks with the use of known vulnerabilities, such as Microsoft Exchange vulnerabilities, which have been exploited in many attacks in the past few months.
These organizations said that most of the brute force attacks were aimed at organizations that use Microsoft 365 cloud services, but hackers also targeted other service providers and internal email servers.
“As the cyber department of the military intelligence agency, APT28 regularly collects intelligence on these targets. This is part of its mandate.” John Hultquist) said in an email. “The main business of this organization is the routine collection of intelligence for policy makers, diplomats, the military, and the defense industry. Such incidents do not necessarily indicate hacking and leaking activities. Despite our best efforts, we do not It’s too possible to stop Moscow’s espionage.”
Hultqvist added: “This is a good reminder that GRU is still an imminent threat, which is especially important considering the upcoming Olympics, they are likely to try to sabotage the Olympics.”
The recommendations issued by the security agency include known TTPs information, detection and mitigation recommendations, IP addresses, user agents, and Yara rules related to the attack.
The report also gave general mitigation suggestions at the end, stating that, like other mitigation measures for certificate theft technologies, organizations can take the following measures to ensure strong access control:
1. Multi-factor authentication using strong factors requires regular re-authentication. Strong authentication factors are not guessable, so they will not be guessed when using brute force attempts.
2. Enable the timeout and lock function when password verification is required. The timeout feature will increase with other failed login attempts. The lockout feature should temporarily disable the account after multiple consecutive failed attempts. This can force slower brute force attempts and make them infeasible.
3. When users change their passwords, some services can perform quality checks based on commonly used password dictionaries, and reject many bad password choices before setting them. This makes it more difficult to use brute force to crack passwords.
4. For protocols that support manual interaction, use verification codes to prevent automatic access attempts.
5. Change all default credentials, disable protocols that use weak authentication (for example, clear text passwords, or outdated and weak authentication or encryption protocols) or do not support multi-factor authentication. Always carefully configure access control to cloud resources to ensure that only well-maintained and well-authenticated accounts can access.
6. When making an access decision, use appropriate network isolation to restrict access, and use additional attributes (such as device information, environment, and access path). The ideal or desired state is a zero-trust security model.
7. Use automated tools to conduct security audits on access logs to identify abnormal access requests.
Nearly a year ago, Microsoft warned that APT28 had been stealing Office365 certificates from tens of thousands of accounts in US and UK institutions.