Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/1/2021
01:10 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

NSA & CISA Issue Warning About Russian GRU Brute-Force Cyberattacks Against US, Global Orgs

Fancy Bear nation-state hacking team add a modern twist on old-school hacking method by using a cluster of Kubernetes software containers to expedite credential theft.

The National Security Agency (NSA) and the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) today issued a rare alert together that warns of widespread brute-force attacks on US and global organizations by Russia's GRU military intelligence agency that initially began in mid-2019.

The advisory - which NSA bills as part of its "mission" to alert on nation-state threats - includes the tactics, techniques, and procedures (TTPs) the nation-state hacking team uses to infiltrate hundreds of targets in the energy, government, political, defense, logistics, think tanks, media, legal, and higher-education sector organizations, as well as defenses to mitigate the cyber-spying attacks.

The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), aka APT 28, Fancy Bear, STRONTIUM, and Sofacy, are engaging in old-school brute-force hacking to gain credentials from their targets but with a modern twist of employing Kubernetes software containers to perform the attacks at scale, according to the NSA. They use leaked credentials as well as password-guessing methods to steal the credentials in order to move throughout the target to steal information.

The Kubernetes cluster of containers assist their brute-force attacks, which mostly target organizations on Microsoft Office 365 cloud services but also included other service providers and enterprise email servers. 

"This brute force capability allows the 85th GTsSS actors to access protected data, including email, and identify valid account credentials. Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion," the advisory says.

The GRU attackers are also dropping exploits of two older and patched Microsoft Server vulnerabilities - the CVE 2020-0688 Exchange Validation Key flaw and the CVE 2020-17144 Exchange remote code execution flaw - to drop malware and dig deeper into the targeted networks.

Defenders should employ and "expand" their use of multifactor authentication to thwart abuse of stolen credentials and double down on access controls, such as timeout and lockout features, strong passwords, and zero-trust practices, that can help weed out any malicious activity.

"Additionally, organizations can consider denying all inbound activity from known anonymization services, such as commercial virtual private networks (VPNs) and The Onion Router (TOR), where such access is not associated with typical use," the NSA and CISA recommend in the advisory.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-40309
PUBLISHED: 2021-09-24
A SQL injection vulnerability exists in the Take Attendance functionality of OS4Ed's OpenSIS 8.0. allows an attacker to inject their own SQL query. The cp_id_miss_attn parameter from TakeAttendance.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request as a user with ...
CVE-2021-40310
PUBLISHED: 2021-09-24
OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter.
CVE-2021-28130
PUBLISHED: 2021-09-24
Dr.Web Firewall 12.5.2.4160 on Windows incorrectly restricts applications signed by Dr.Web. A DLL for a custom payload within a legitimate binary (e.g., frwl_svc.exe) bypasses firewall filters.
CVE-2021-40099
PUBLISHED: 2021-09-24
An issue was discovered in Concrete CMS through 8.5.5. Fetching the update json scheme over HTTP leads to remote code execution.
CVE-2021-40100
PUBLISHED: 2021-09-24
An issue was discovered in Concrete CMS through 8.5.5. Stored XSS can occur in Conversations when the Active Conversation Editor is set to Rich Text.