An advisory has been released by cybersecurity agencies warning about an ongoing global campaign using brute force techniques. The advisory comes from the NSA, CISA, FBI, and NCSC and links the campaign to the Russian government, particularly to Russia’s General Staff Main Intelligence Directorate (GRU).

What's new?

According to the security agencies, these ongoing brute force access attempts have been used against hundreds of organizations around the world, particularly in the U.S. and Europe.
  • While the brute force technique is nothing new, GRU 85th Main Special Service Center (GTsSS) used a Kubernetes cluster to perform widespread, anonymized, and distributed brute force attacks.
  • Targeted organizations include government, military, think tanks, political consultants and parties, law firms, defense contractors, energy, logistics, universities, and media companies.
  • The campaign is believed to have begun in mid-2019, and some of the attempts were served directly from nodes in this cluster. In most cases, the attacks used Tor and various commercial VPN services.
  • The brute force attacks have been combined with the exploitation of known vulnerabilities, such as Microsoft Exchange flaws (CVE-2020-0688 and CVE-2020-17144).

Additional insights

According to the NSA, once the attackers gain access, they spread laterally throughout the network while deploying a reGeorg web shell for persistence. They further harvest other credentials and steal files from the targeted systems. 
  • For obfuscation of their attacks, the Kubernetes cluster carries out brute force attacks with Tor and VPN services, such as IPVanish, CactusVPN, ProtonVPN, Surfshark, WorldVPN, and NordVPN.
  • However, between November 2020 and March 2021 the attacker conducted attacks without using an anonymization service and targeted the U.S. and foreign entities.

Conclusion

The advisory has offered some recommendations, including using multi-factor authentication, enabling time-out and lock-out features for password authentication, and utilizing captchas. Additionally, users are recommended to change all default credentials and use appropriate network segmentation, restrictions, and automated tools for auditing access logs.

Cyware Publisher

Publisher

Cyware