Russians promote brute force attacks

US and UK security agencies have released a joint alert detailing cyber activities by Russia’s intelligence service against targets in various parts of the world. The agencies responsible for the release were the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), all from the United States, and the UK’s National Cyber Security Center (NCSC).

The alert details that the targets sought by the Russian action – known by various names such as Fancy Bear, APT28, Strontium, and others – include everything from government and military institutions, defense contractors, political consultants and political parties to energy companies, higher education entities, law firms, logistics, and media companies, and think tanks. The attacks began in mid-2019 and are likely still ongoing.

According to the statement, the 85th Special Services Centre (GTsSS) of the Russian Central Intelligence Department (GRU) uses brute force with the help of a Kubernetes cluster to penetrate victims’ networks, move laterally through them, collect and exfiltrate data. It also mitigates the potential for system administrators to contain the intrusion. Kubernetes is an open-source platform that manages workloads and services in containers, making configuration and automation easy. In an attempt to obfuscate the source of the Russian campaign and ensure a degree of anonymity, the Kubernetes cluster typically routes brute force attempts through TOR and commercial VPN services.

Brute-force techniques attempt to uncover valid credentials, often using extensive login attempts, but sometimes usernames and passwords previously leaked or guessed through variations of common passwords. While the brute force technique is not new, this group uniquely uses Kubernetes containers to easily amplify brute force attempts.

The alert also highlights that a significant part of this campaign targeted organizations using Microsoft Office 365, but the action also reached other service providers and on-premise email servers using a number of different protocols. In addition, the actors exploited publicly known vulnerabilities, including Microsoft Exchange servers (CVE 2020-0688 and CVE 2020-17144) to remotely execute code and access targeted networks. After gaining remote access, tactics, techniques, and procedures were combined to allow lateral movement, evade defense systems, and steal information.

For this type of attack and other credential theft techniques, the agencies’ alert makes some recommendations in an attempt to seek stronger access control:

• Use multi-factor authentication with strong factors and require re-authentication regularly. Strong authentication factors are not guessed, so they cannot be exploited during brute force attempts.
• Enable time-out and lock-out features whenever password authentication is required. Time-out features should increase in duration after a few failed attempts. Lock-out features should temporarily disable accounts after several consecutive failed attempts. This can make brute-force techniques slower and even unworkable.
• Some services allow you to check password dictionaries when users are trying to change them, negating weak options. This will make the guessing process much more difficult.
• For protocols that allow human interaction, it is recommended to use captchas to prevent automated access attempts.
• Change all default credentials and disable protocols that use weak authentication (e.g. plain text passwords) or do not work with multi-factor authentication.
• Employ network segmentation and restrictions to limit access and use additional attributes when making access decisions, using the Zero Trust security model.
• Use automated tools to audit access logs and identify strange access requests.