The National Security Agency (NSA), the FBI, the Department of Homeland Security, and the UK’s GCHQ issued a joint cybersecurity advisory over state-backed Russian hackers using brute force to infiltrate networks.
The alert warned that Russia GRU’s 85th Main Special Service Center (GTsSS) unit 26165 used a Kubernetes cluster to brute force passwords to compromise the government and private sector.
The advisory attributed the hacking campaign to the advanced persistent threat actor APT28, commonly known as Fancy Bear or Strontium.
Russian hackers brute force passwords on cloud services and on-premise mail servers
The joint advisory noted that Russian hackers usually attempted to brute force passwords for organizations using Microsoft Office 365 cloud services and other cloud providers. They also targeted entities hosting on-premises mail servers using various protocols.
Additionally, Russian hackers also leveraged Microsoft Exchange server remote code execution (RCE) vulnerabilities CVE-2020-0688 and CVE-2020-17144.
Once they gained access, the hackers performed privilege escalation, spread laterally, and installed reGeorg web shells to access compromised networks remotely.
They also collected valid login credentials and created more accounts to maintain persistence and exfiltrated files and emails.
The Russian hackers hid their activity by using the open-source TOR anonymization software and VPN services.
However, the agencies noted that Russian hackers attempted to brute force passwords without cloaking their IP addresses between November 2020 and 2021.
Russia GRU’s brute force campaign targets include government agencies, defense contractors, logistics companies, think tanks, law firms, media companies, and higher learning institutions.
The advisory also warned that political parties were targeted in the Russian military intelligence unit hacking campaign.
The NSA advised federal entities such as the Department of Defense (DoD), National Security Systems (NSS), and Defense Industrial Base (DIB), to check for indicators of compromise (IoC) and apply mitigations included in the security advisory.
NSA provided mitigations for Russian brute force attacks
The advisory directed organizations to enable multi-factor authentication to make hackers’ attempts to brute force passwords futile.
“Additional mitigations to ensure strong access controls include time-out and lock-out features, the mandatory use of strong passwords, implementation of a Zero Trust security model that uses additional attributes when determining access, and analytics to detect anomalous accesses,” the advisory stated.
They also recommended blocking inbound traffic from anonymization services such as TOR networks and VPNs when such traffic is not related to a specific user.
Similarly, using CAPTCHAs to prevent automated login attempts could also frustrate Russian hackers’ attempts to brute force passwords.
Changing default passwords and configuring cloud resources to ensure that only authenticated accounts can access systems, thus preventing brute force attacks on cloud infrastructure.
Employing network segmentation to limit access alongside various restrictions such as device information would help mitigate Russian hackers’ attempts to brute force passwords on target networks.
Similarly, auditing access logs to identify anomalous requests associated with hackers’ attempts to brute force passwords.
“While there is a perception that intelligence agencies like the GRU are extremely advanced, many of the behaviors in this report have been used by adversaries for years, and defenders have a good chance at detecting them,” Katie Nickels, director of intelligence at Red Canary said.
She added that “end-users with layers of authentication beyond just a username and password to log in makes it much more difficult for adversaries to gain initial access.”
Commenting on the Russian GRU brute force password hacking campaign, Saryu Nayyar, CEO, Gurucul, said:
“A growing number of ransomware attacks against infrastructure and critical industries, especially those suspected of state sponsorship and involvement, are prompting calls for an international agreement limiting the use of such ‘cyber warfare’ tactics.”
She noted that although the agreement was difficult to reach, all parties should work towards that end.
“Ransomware and other types of cyber warfare can cause irreparable harm to critical infrastructures, and lead to an escalating level of counterattacks, even if the actual perpetrators are not clearly apparent.”
Garret Grajek, CEO, YouAttest, said it was impressive that Western officials were addressing this problem.
“But one has to think that the cat is out of the bag. The malicious actors have learned that there is a high return on low investment in international hacking. Most feel these organizations have profited so much from the ransomware attacks they have been able to buy political protection – at least up till now.”
Grajek, however, noted that cybersecurity was still an organization’s responsibility, given that governments are more focused on penalizing the victims instead of developing proper cybersecurity practices.
“Enterprises should start with the basics, especially around access and the question of “who has what” – and be alerted on identity privilege changes and change attempts, which are often an unheard first alert to an attack.”
Saumitra Das, CTO and Cofounder, Blue Hexagon, noted that password spraying attacks indicated that hackers would usually exploit any security weakness at scale.
“The GRU used Kubernetes to orchestrate and scale their attacks to continuously attempt initial access into organizations. This implies high-level automation and semi-autonomous attack capabilities to target a wide list and then focus on where they are able to brute force in,” Das said.
“While early attacks in March exposed their IPs, subsequent attacks have been masked using VPN and even multi-hop VPN service to make it very hard to pinpoint where the initial attacks are coming from. This may be one of the reasons for the government takedown of DoubleVPN recently,” Das continued.
He added that the discovery of new security vulnerabilities like the #printnightmare increases the hackers’ options.
“Organizations need to focus on detection and response because clearly current technology, configurations and the endless stream of security supply chain vulnerabilities together make it hard to prevent initial access into networks,” Das concluded.