Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/1/2021
01:10 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

NSA & CISA Issue Warning About Russian GRU Brute-Force Cyberattacks Against US, Global Orgs

Fancy Bear nation-state hacking team add a modern twist on old-school hacking method by using a cluster of Kubernetes software containers to expedite credential theft.

The National Security Agency (NSA) and the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) today issued a rare alert together that warns of widespread brute-force attacks on US and global organizations by Russia's GRU military intelligence agency that initially began in mid-2019.

The advisory - which NSA bills as part of its "mission" to alert on nation-state threats - includes the tactics, techniques, and procedures (TTPs) the nation-state hacking team uses to infiltrate hundreds of targets in the energy, government, political, defense, logistics, think tanks, media, legal, and higher-education sector organizations, as well as defenses to mitigate the cyber-spying attacks.

The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), aka APT 28, Fancy Bear, STRONTIUM, and Sofacy, are engaging in old-school brute-force hacking to gain credentials from their targets but with a modern twist of employing Kubernetes software containers to perform the attacks at scale, according to the NSA. They use leaked credentials as well as password-guessing methods to steal the credentials in order to move throughout the target to steal information.

The Kubernetes cluster of containers assist their brute-force attacks, which mostly target organizations on Microsoft Office 365 cloud services but also included other service providers and enterprise email servers. 

"This brute force capability allows the 85th GTsSS actors to access protected data, including email, and identify valid account credentials. Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion," the advisory says.

The GRU attackers are also dropping exploits of two older and patched Microsoft Server vulnerabilities - the CVE 2020-0688 Exchange Validation Key flaw and the CVE 2020-17144 Exchange remote code execution flaw - to drop malware and dig deeper into the targeted networks.

Defenders should employ and "expand" their use of multifactor authentication to thwart abuse of stolen credentials and double down on access controls, such as timeout and lockout features, strong passwords, and zero-trust practices, that can help weed out any malicious activity.

"Additionally, organizations can consider denying all inbound activity from known anonymization services, such as commercial virtual private networks (VPNs) and The Onion Router (TOR), where such access is not associated with typical use," the NSA and CISA recommend in the advisory.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34760
PUBLISHED: 2021-10-21
A vulnerability in the web-based management interface of Cisco TelePresence Management Suite (TMS) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient input validation by the ...
CVE-2021-34789
PUBLISHED: 2021-10-21
A vulnerability in the web-based management interface of Cisco Tetration could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack on an affected system. This vulnerability exists because the web-based management interface does not sufficiently validate user...
CVE-2021-39126
PUBLISHED: 2021-10-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify various resources via a Cross-Site Request Forgery (CSRF) vulnerability, following an Information Disclosure vulnerability in the referrer headers which discloses a user's CSRF token. The affected versions ar...
CVE-2021-39127
PUBLISHED: 2021-10-21
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.
CVE-2021-40121
PUBLISHED: 2021-10-21
Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. For more information about these vulnerabilities, see the Details section of this ad...