Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

End of Bibblio RCM includes -->
7/1/2021
01:10 PM
Connect Directly
Twitter
RSS
E-Mail

NSA & CISA Issue Warning About Russian GRU Brute-Force Cyberattacks Against US, Global Orgs

Fancy Bear nation-state hacking team add a modern twist on old-school hacking method by using a cluster of Kubernetes software containers to expedite credential theft.

The National Security Agency (NSA) and the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) today issued a rare alert together that warns of widespread brute-force attacks on US and global organizations by Russia's GRU military intelligence agency that initially began in mid-2019.

The advisory - which NSA bills as part of its "mission" to alert on nation-state threats - includes the tactics, techniques, and procedures (TTPs) the nation-state hacking team uses to infiltrate hundreds of targets in the energy, government, political, defense, logistics, think tanks, media, legal, and higher-education sector organizations, as well as defenses to mitigate the cyber-spying attacks.

The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), aka APT 28, Fancy Bear, STRONTIUM, and Sofacy, are engaging in old-school brute-force hacking to gain credentials from their targets but with a modern twist of employing Kubernetes software containers to perform the attacks at scale, according to the NSA. They use leaked credentials as well as password-guessing methods to steal the credentials in order to move throughout the target to steal information.

The Kubernetes cluster of containers assist their brute-force attacks, which mostly target organizations on Microsoft Office 365 cloud services but also included other service providers and enterprise email servers. 

"This brute force capability allows the 85th GTsSS actors to access protected data, including email, and identify valid account credentials. Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion," the advisory says.

The GRU attackers are also dropping exploits of two older and patched Microsoft Server vulnerabilities - the CVE 2020-0688 Exchange Validation Key flaw and the CVE 2020-17144 Exchange remote code execution flaw - to drop malware and dig deeper into the targeted networks.

Defenders should employ and "expand" their use of multifactor authentication to thwart abuse of stolen credentials and double down on access controls, such as timeout and lockout features, strong passwords, and zero-trust practices, that can help weed out any malicious activity.

"Additionally, organizations can consider denying all inbound activity from known anonymization services, such as commercial virtual private networks (VPNs) and The Onion Router (TOR), where such access is not associated with typical use," the NSA and CISA recommend in the advisory.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-46965
PUBLISHED: 2023-02-02
PrestaShop module, totadministrativemandate before v1.7.1 was discovered to contain a SQL injection vulnerability.
CVE-2023-0642
PUBLISHED: 2023-02-02
Cross-Site Request Forgery (CSRF) in GitHub repository squidex/squidex prior to 7.4.0.
CVE-2023-0643
PUBLISHED: 2023-02-02
Improper Handling of Additional Special Element in GitHub repository squidex/squidex prior to 7.4.0.
CVE-2020-24307
PUBLISHED: 2023-02-02
An issue in mRemoteNG v1.76.20 allows attackers to escalate privileges via a crafted executable file.
CVE-2022-43665
PUBLISHED: 2023-02-02
A denial of service vulnerability exists in the malware scan functionality of ESTsoft Alyac 2.5.8.645. A specially-crafted PE file can lead to killing target process. An attacker can provide a malicious file to trigger this vulnerability.