Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/1/2021
01:10 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

NSA & CISA Issue Warning About Russian GRU Brute-Force Cyberattacks Against US, Global Orgs

Fancy Bear nation-state hacking team add a modern twist on old-school hacking method by using a cluster of Kubernetes software containers to expedite credential theft.

The National Security Agency (NSA) and the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) today issued a rare alert together that warns of widespread brute-force attacks on US and global organizations by Russia's GRU military intelligence agency that initially began in mid-2019.

The advisory - which NSA bills as part of its "mission" to alert on nation-state threats - includes the tactics, techniques, and procedures (TTPs) the nation-state hacking team uses to infiltrate hundreds of targets in the energy, government, political, defense, logistics, think tanks, media, legal, and higher-education sector organizations, as well as defenses to mitigate the cyber-spying attacks.

The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), aka APT 28, Fancy Bear, STRONTIUM, and Sofacy, are engaging in old-school brute-force hacking to gain credentials from their targets but with a modern twist of employing Kubernetes software containers to perform the attacks at scale, according to the NSA. They use leaked credentials as well as password-guessing methods to steal the credentials in order to move throughout the target to steal information.

The Kubernetes cluster of containers assist their brute-force attacks, which mostly target organizations on Microsoft Office 365 cloud services but also included other service providers and enterprise email servers. 

"This brute force capability allows the 85th GTsSS actors to access protected data, including email, and identify valid account credentials. Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion," the advisory says.

The GRU attackers are also dropping exploits of two older and patched Microsoft Server vulnerabilities - the CVE 2020-0688 Exchange Validation Key flaw and the CVE 2020-17144 Exchange remote code execution flaw - to drop malware and dig deeper into the targeted networks.

Defenders should employ and "expand" their use of multifactor authentication to thwart abuse of stolen credentials and double down on access controls, such as timeout and lockout features, strong passwords, and zero-trust practices, that can help weed out any malicious activity.

"Additionally, organizations can consider denying all inbound activity from known anonymization services, such as commercial virtual private networks (VPNs) and The Onion Router (TOR), where such access is not associated with typical use," the NSA and CISA recommend in the advisory.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-23478
PUBLISHED: 2021-09-22
Leo Editor v6.2.1 was discovered to contain a regular expression denial of service (ReDoS) vulnerability in the component plugins/importers/dart.py.
CVE-2020-23481
PUBLISHED: 2021-09-22
CMS Made Simple 2.2.14 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Field Definition text field.
CVE-2020-23469
PUBLISHED: 2021-09-22
gmate v0.12+bionic contains a regular expression denial of service (ReDoS) vulnerability in the gedit3 plugin.
CVE-2021-21991
PUBLISHED: 2021-09-22
The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. A malicious actor with non-administrative user access on vCenter Server host may exploit this issue to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server...
CVE-2021-21992
PUBLISHED: 2021-09-22
The vCenter Server contains a denial-of-service vulnerability due to improper XML entity parsing. A malicious actor with non-administrative user access to the vCenter Server vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash) may exploit this issue to create a denial-of-service ...