NSA: Russian GRU Hackers Use Kubernetes to Run Brute Force Attacks

The National Security Agency (NSA) warns that Russian nation-state hackers are conducting brute force attacks to access US networks and steal email and files.

In a new advisory released today, the NSA states that the Russian GRU’s 85th Main Special Service Center (GTsSS), military unit 26165, has been using a Kubernetes cluster since 2019 to perform password spray attacks on US and foreign organizations, including the US government and Department of Defense agencies.

“GTsSS malicious cyber activity has previously been attributed by the private sector using the names Fancy Bear, APT28, Strontium, and a variety of other identifiers,” says the NSA advisory.

“The 85th GTsSS directed a significant amount of this activity at organizations using Microsoft Office 365 cloud services; however, they also targeted other service providers and on-premises email servers using a variety of different protocols. These efforts are almost certainly still ongoing.”

Using brute force attacks to compromise networks

The brute force attacks target cloud services, such as Microsoft 365, to compromise accounts that are then used in conjunction with known vulnerabilities to gain initial access to corporate and government networks.

As part of their attacks, the threat actors are using various exploits, including the Microsoft Exchange CVE-2020-0688 and CVE-2020-17144 remote code execution vulnerabilities.

The NSA says that once they gain access, they will spread laterally through the network while deploying a reGeorg web shell for persistence, harvesting other credentials, and stealing files. 

As the threat actors gain further access to credentials, they will exfiltrate Office 365 email inboxes and other data to a remote computer.

Also Read: Compliance Course Singapore: Spotlight on the 3 Offerings

To obfuscate the origin of their attacks, the Kubernetes cluster performs brute force attacks through TOR and VPN services, including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN.

The NSA says that between November 2020 and March 2021, the hackers conducted brute force attacks without using an anonymization service, exposing the following IP addresses as being used by the Russian GTsSS’ Kubernetes cluster:

158.58.173[.]40185.141.63[.]47185.233.185[.]21188.214.30[.]76195.154.250[.]89

93.115.28[.]16195.141.36[.]18077.83.247[.]81192.145.125[.]42193.29.187[.]60

These attacks have targeted US and foreign entities, including the US government and Department of Defense, focusing on the US and Europe.

Also Read: PDPA Singapore Guidelines: 16 Key Concepts For Your Business

The types of entities seen targeted by the attacks are:

• Government and military organizations
• Political consultants and party organizations
• Defense contractors
• Energy companies
• Logistics companies
• Think tanks
• Higher education institutions
• Law firms
• Media companies

When BleepingComputer asked the NSA if any US government agencies were breached using these attacks, the provided the following statement.

“The NSA does not publicly share details on victims of foreign malicious cyber activity.” – NSA.

A complete list of TTPs, including a Yara rule to detect the reGeorg variant web shell, can be found in the NSA’s cybersecurity advisory

Defending against these attacks

To defend against these attacks, the NSA is recommending that organizations expand their use of multi-factor authentication (MFA) to restrict the use of stolen credentials and implement a Zero Trust security model.”This lengthy brute force campaign to collect and exfiltrate data, access credentials and more, is likely ongoing, on a global scale,” said Rob Joyce, NSA’s Director of Cybersecurity, in a statement. “Net defenders should use multi-factor authentication and the additional mitigations in the advisory to counter this activity.”

The full list of recommendations from the NSA are listed below:

• Use multi-factor authentication with strong factors and require regular re-authentication[4]. Strong authentication factors are not guessable, so they would not be guessed during brute force attempts.
• Enable time-out and lock-out features whenever password authentication is needed. Time-out features should increase in duration with additional failed login attempts. Lock-out features should temporarily disable accounts after many consecutive failed attempts. This can force slower brute force attempts, making them infeasible.
• Some services can check passwords against common password dictionaries when users change passwords, denying many poor password choices before they are set. This makes brute-force password guessing far more difficult.
• For protocols that support human interaction, utilize captchas to hinder automated access attempts.
• Change all default credentials and disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Always configure access controls on cloud resources carefully to ensure that only well-maintained and well-authenticated accounts have access.
• Employ appropriate network segmentation and restrictions to limit access and utilize additional attributes (such as device information, environment, access path) when making access decisions, with the desired state being a Zero Trust security model.
• Use automated tools to audit access logs for security concerns and identify anomalous access requests.

In addition to the above recommendations, the NSA advises organizations to block all inbound connections from anonymization services that are not typically used in an organization, such as commercial VPN providers and TOR.