The US and UK cybersecurity agencies warning that the Russia-linked APT28 group is behind a series of large-scale Brute-Force Attacks.
This warning alert was issued by the US National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), and the UK’s National Cyber Security Centre (NCSC).
“From the mid-2019 through early 2021, Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, used a Kubernetes cluster to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide.”, reads the advisory published by the NSA.
The government experts attribute the attacks to Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165.
This brute force capability allows the 85th GTsSS actors to access protected data, including email, and identify valid account credentials. Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion.
In this case, the actors have used identified account credentials in combination with exploiting publicly known vulnerabilities, such as exploiting Microsoft Exchange servers using CVE 2020-0688 and CVE 2020-17144, for remote code execution and more access to target networks.
Once gaining remote access, many well-known tactics, techniques, and procedures (TTPs) are combined to move laterally, escape defenses, and collect additional information within target networks. This campaign has already targeted hundreds of U.S. and foreign organizations worldwide, including U.S. government and Department of Defense entities.
The actors used a combination of known TTPs in addition to their password spray operations to exploit target networks, access additional credentials, move laterally, and collect, stage, and exfiltrate data. They used a variety of protocols, including HTTP(S), IMAP(S), POP3, and NTLM.
According to the joint report, the nature of the password spray capability means that specific indicators of compromise (IOC) can be easily altered to bypass IOC-based mitigation.
Organizations should also consider denying all inbound activity from known TOR nodes and other public VPN services to exchange servers or portals where such access is not associated with typical use. Organizations should adopt and expand the usage of multi-factor authentication to help counter the effectiveness of this capability.
Additionally to ensure strong access controls include time-out and lock-out features, the mandatory use of strong passwords, implementation of a Zero Trust security model that uses additional attributes when determining access, and analytics to detect anomalous accesses.