Home > Cybersecurity > Russians promote brute force attacks
US and UK security agencies have released a joint alert detailing cyber activities by Russia’s intelligence service against targets in various parts of the world. The agencies responsible for the release were the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), all from the United States, and the UK’s National Cyber Security Center (NCSC).
The alert details that the targets sought by the Russian action – known by various names such as Fancy Bear, APT28, Strontium, and others – include everything from government and military institutions, defense contractors, political consultants and political parties to energy companies, higher education entities, law firms, logistics, and media companies, and think tanks. The attacks began in mid-2019 and are likely still ongoing.
According to the statement, the 85th Special Services Centre (GTsSS) of the Russian Central Intelligence Department (GRU) uses brute force with the help of a Kubernetes cluster to penetrate victims’ networks, move laterally through them, collect and exfiltrate data. It also mitigates the potential for system administrators to contain the intrusion. Kubernetes is an open-source platform that manages workloads and services in containers, making configuration and automation easy. In an attempt to obfuscate the source of the Russian campaign and ensure a degree of anonymity, the Kubernetes cluster typically routes brute force attempts through TOR and commercial VPN services.
Brute-force techniques attempt to uncover valid credentials, often using extensive login attempts, but sometimes usernames and passwords previously leaked or guessed through variations of common passwords. While the brute force technique is not new, this group uniquely uses Kubernetes containers to easily amplify brute force attempts.
The alert also highlights that a significant part of this campaign targeted organizations using Microsoft Office 365, but the action also reached other service providers and on-premise email servers using a number of different protocols. In addition, the actors exploited publicly known vulnerabilities, including Microsoft Exchange servers (CVE 2020-0688 and CVE 2020-17144) to remotely execute code and access targeted networks. After gaining remote access, tactics, techniques, and procedures were combined to allow lateral movement, evade defense systems, and steal information.
For this type of attack and other credential theft techniques, the agencies’ alert makes some recommendations in an attempt to seek stronger access control: