A military unit of Russia’s GRU spun up a Kubernetes cluster to power a lengthy campaign involving brute force authentication attempts against targets across the US and Europe — including the Department of Defense — CISA, the FBI, NSA, and UK’s NCSC said in a joint advisory on July 1.
While many of the attack techniques listed in the advisory are hardly cutting edge to most Blue Teams, the attackers “uniquely leveraged software containers to easily scale its brute force attempts” the agencies said, specifically attributing a widespread campaign — that ran from mid-2019 to early 2021 and which may still be ongoing — to the GRU’s 85th Main Special Service Center (GTsSS), military unit 26165.
The attackers — also known as APT28, Strontium, or Fancy Bear — typically routed brute force authentication attempts through TOR and commercial VPN services, the joint advisory added, with the NSA specifically urging system administrators across the defence sector to “immediately review the indicators of compromise (IOCs) included in the advisory and to apply the recommended mitigations.” IOCs are here.
The four agencies said the attackers “directed a significant amount of this activity at organizations using Microsoft Office 365 cloud services; however, they also targeted other service providers and on-premises email servers using a variety of different protocols. These efforts are almost certainly still ongoing.”
“Organizations should consider denying all inbound activity from known TOR nodes and other public VPN services to exchange servers or portals where such access is not associated with typical use,” the agencies suggested — whilst also admitting that, quelle surprise, the most effective mitigation against what amounts to large-scale password-guessing, is deploying multi-factor authentication (MFA).
The advisory warns system administrators that exploitation is almost certainly ongoing: “Targets have been global, but primarily focused on the United States and Europe.” Targets include government and military, defense contractors, energy companies, higher education, logistics companies, law firms, media companies, political consultants or political parties, and think tanks.” More details and IOCs here.
The introduction of MFA cannot be underestimated as a way to remove low-hanging fruit from the grasp of attackers. As the NCSC notes in its guidance on MFA implementation, this “may require your IT helpdesk to offer extra services to support users. If users lose their extra factor, they will need a way of reporting and replacing it. This could be offered directly by the service or via an enterprise portal. You will need to consider how your account reset and multi-factor token replacement processes verify that the user is who they say they are. You will need to ensure that an attacker cannot use these processes to bypass multi-factor authentication.”
The NCSC adds: “You will need to consider how administrators can gain access to the service if multi-factor authentication is unavailable. This could be caused by a service configuration or the loss of an authentication token. Accounts such as an emergency or ‘break glass’ account that use a single authentication factor should be the subject of increased protective monitoring so that its misuse can be easily detected.” Guidance here.