Since brute force capabilities allow access to protected data like account credentials, using multi-factor authentication is one way of mitigating such a cyber attack.
Intelligence and security agencies from the United States of America and the United Kingdom claimed that Russia conducted cyberattacks to compromise enterprise and cloud environments including that of Microsoft from mid-2019 through early 2021. Since then, Russia has denied the claims published in a report by the USA’s National Security Agency and others.
The report “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments” said that since at least mid-2019 through early 2021, the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, used a Kubernetes cluster to conduct brute force access attempts against hundreds of government and private sector targets all over the world. The attacks were perpetrated by using Microsoft Office 365 cloud services, but the report added that it also targeted other service providers.
The other investigating agencies involved in the fabrication of the report were the USA’s Cybersecurity & Infrastructure Security Agency, the Federal Bureau of Investigation, and the United Kingdom’s National Cyber Security Centre.
How do such cyber attacks happen?
- This brute force capability would allow the 85th GTsSS actors to access protected data, including email, and identify valid account credentials.
- These credentials may have then been used for access, persistence, privilege escalation, and defence evasion.
- The actors could have exploited publicly known vulnerabilities, such as exploiting Microsoft Exchange servers using CVE 2020-0688 and CVE 2020-17144, for remote code execution and further access to target networks.
- After gaining remote access, many well-known tactics, techniques, and procedures (TTP) could have been combined to move laterally, evade defences, and collect additional information within target networks.
Who were the targets of these attacks?
The report claimed that hundreds of U.S. and foreign organisations worldwide, including the US government and Department of Defense entities were targeted in the attack. Types of targeted organisations include:
- Government and military organisations
- Political consultants and party organisations
- Defence contractors
- Energy companies
- Logistics companies
- Think tanks
- Higher education institutions
- Law firms
- Media companies
How to mitigate this particular cyber attack?
According to the report —
- Use multi-factor authentication with strong factors that require regular re-authentication
- Enable time-out and lock-out features whenever password authentication is needed.
- Use services that deny the application of commonly used passwords
- Utilise captchas to hinder automated access attempts.
- Change all default credentials and disable protocols that use weak authentication
- Employ appropriate network segmentation and restrictions to limit access
- Use automated tools to audit access logs for security concerns and identify anomalous access requests.
Russia denies involvement in cyber attacks
The Russian Embassy in the United States has rejected the alleged involvement of the Russian authorities in the cyberattacks perpetrated against government and private facilities.
“We strictly deny the involvement of Russian government agencies in attacks on government and private facilities in the United States and abroad. We emphasize that fighting against cybercrime is an inherent priority for Russia and an integral part of its state policy to combat all forms of crime. A wide range of law enforcement instruments is used for its implementation,” the Russian embassy wrote on its Facebook page late Thursday.
“We hope that the American side will abandon the practice of unfounded accusations and focus on professional work with Russian experts to strengthen international information security, and in this context, on joint efforts to combat cybercrime. Besides, it’s high time to put things in order on the American soil, from where constant attacks on critical infrastructure in Russia emerge — Russian Embassy
Indian CERT issued a similar advisory on Kubernetes exploitation
On June 14, the Indian Computer Emergency Response Team (CERT-IN) said that a new category of malware is targeting misconfigured Kubernetes clusters through Windows containers to compromise cloud environments.
“The malware variant gains initial access by exploiting vulnerabilities in common cloud applications or a vulnerable web page or database and then utilises windows container escape techniques, executes code on the underlying node and then spreads in poorly configured Kubernetes clusters to open a backdoor in order to run/deploy malicious containers,” the Indian CERT said in an advisory.
Although the NSA report and the Indian CERT advisory contain some similarities, it is not clear whether they are the same exploits, and the latter does not make a mention of any country perpetrating the attacks.
Proactively monitor for anomalies, says expert
Smith Gonsalves, the Director of CyberSmithSECURE, a security firm providing VAPT & red teaming Security services said that enterprises should ensure that all their public-facing web application & API endpoints should be proactively monitored for anomalies along with routing all the client-side requests through a web application firewall.
“It is also important to watch for an indicator of compromise (IOC) and share the necessary (information) among the relevant security groups of companies to ensure blocking of the same. Also, it is advised that companies whose code execution vulnerabilities aren’t fixed seem to be an easy target. Therefore, vulnerability mitigation and penetration testing should be taken forward on a priority basis to mitigate the risk,” Gonsalves added.
Also read
