In a peculiar alert issued by the US’s Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA), the security agencies stated that the Russian GRU military intelligence agency is targeting the US and other global organizations with extensive brute force attacks.
Vital NSA and CISA security advisory:
In an effort to further its mission to alert agencies against increasing cyber threats, the NSA and CISA have released a security advisory for the same which includes strategies, techniques, and procedures that are commonly used by state-sponsored threat actors. Using these techniques, numerous targets in the energy, government, political, defense, logistics, think tanks, media, legal, and higher-education sectors can be attacked by threat actors.
The security advisory also provides a set of defenses for organizations to apply so as to mitigate the risks posed by cyber threats.
According to the NSA and CISA advisory, the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), aka APT 28, Fancy Bear, STRONTIUM, and Sofacy are particularly deploying brute-force attacks.
It is suspected that their motive is to obtain credentials from their targeted victims.
However, what is peculiar about these attacks is that these Russian threat actors are exploiting the Kubernetes software containers to perform the attacks at scale.
An analysis of the usage of Kubernetes software reveals that Kubernetes clusters assist in brute-forcing attacks. Using them, they are mainly targeting organizations on Microsoft 365 cloud services, while other service providers and enterprise email servers are also included.
“This brute force capability allows the 85th GTsSS actors to access protected data, including email, and identify valid account credentials. These credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion,” states the advisory.
The GRU attackers are also hatching the exploits of two previously known and patched Microsoft security flaws. One, which is an Exchange Validation Ket vulnerability, tracked as CVE 2020-0688, while the other is an Exchange remote code execution vulnerability, tracked as CVE-2020-17144. These vulnerabilities are exploited to further hatch supplementary malware and compromise the targeted networks.
Mitigating cyber risks by NSA and CISA:
The NSA and CISA are of the opinion that defenders should look into that they implement multi-factor authentication to an extensive level to block the exploitation of stolen credentials and double down controls, such as timeout and lockout features, strong passwords, and zero-trust policies, to prevent any risks posed by malicious activities.
“Additionally, organizations can consider denying all inbound activity from known anonymization services, such as commercial virtual private networks (VPNs) and The Onion Router (TOR), where such access is not associated with typical use,” the NSA and CISA recommend in the advisory.