fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

NSA: Russian GRU Hackers Use Kubernetes to Run Brute Force Attacks

NSA: Russian GRU Hackers Use Kubernetes to Run Brute Force Attacks

The National Security Agency (NSA) warns that Russian nation-state hackers are conducting brute force attacks to access US networks and steal email and files.

In a new advisory released today, the NSA states that the Russian GRU’s 85th Main Special Service Center (GTsSS), military unit 26165, has been using a Kubernetes cluster since 2019 to perform password spray attacks on US and foreign organizations, including the US government and Department of Defense agencies.

“GTsSS malicious cyber activity has previously been attributed by the private sector using the names Fancy Bear, APT28, Strontium, and a variety of other identifiers,” says the NSA advisory.

“The 85th GTsSS directed a significant amount of this activity at organizations using Microsoft Office 365 cloud services; however, they also targeted other service providers and on-premises email servers using a variety of different protocols. These efforts are almost certainly still ongoing.”

Using brute force attacks to compromise networks

The brute force attacks target cloud services, such as Microsoft 365, to compromise accounts that are then used in conjunction with known vulnerabilities to gain initial access to corporate and government networks.

As part of their attacks, the threat actors are using various exploits, including the Microsoft Exchange CVE-2020-0688 and CVE-2020-17144 remote code execution vulnerabilities.

The NSA says that once they gain access, they will spread laterally through the network while deploying a reGeorg web shell for persistence, harvesting other credentials, and stealing files. 

As the threat actors gain further access to credentials, they will exfiltrate Office 365 email inboxes and other data to a remote computer.

Also Read: Compliance Course Singapore: Spotlight on the 3 Offerings

Attack flow for this type of brute force campaign
Attack flow for this type of brute force campaign
Source: NSA

To obfuscate the origin of their attacks, the Kubernetes cluster performs brute force attacks through TOR and VPN services, including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN.

The NSA says that between November 2020 and March 2021, the hackers conducted brute force attacks without using an anonymization service, exposing the following IP addresses as being used by the Russian GTsSS’ Kubernetes cluster:

158.58.173[.]40185.141.63[.]47185.233.185[.]21188.214.30[.]76195.154.250[.]8993.115.28[.]16195.141.36[.]18077.83.247[.]81192.145.125[.]42193.29.187[.]60

These attacks have targeted US and foreign entities, including the US government and Department of Defense, focusing on the US and Europe.

Also Read: PDPA Singapore Guidelines: 16 Key Concepts For Your Business

The types of entities seen targeted by the attacks are:

  • Government and military organizations
  • Political consultants and party organizations
  • Defense contractors
  • Energy companies
  • Logistics companies
  • Think tanks
  • Higher education institutions
  • Law firms
  • Media companies

When BleepingComputer asked the NSA if any US government agencies were breached using these attacks, the provided the following statement.

“The NSA does not publicly share details on victims of foreign malicious cyber activity.” – NSA.

A complete list of TTPs, including a Yara rule to detect the reGeorg variant web shell, can be found in the NSA’s cybersecurity advisory

Defending against these attacks

To defend against these attacks, the NSA is recommending that organizations expand their use of multi-factor authentication (MFA) to restrict the use of stolen credentials and implement a Zero Trust security model.”This lengthy brute force campaign to collect and exfiltrate data, access credentials and more, is likely ongoing, on a global scale,” said Rob Joyce, NSA’s Director of Cybersecurity, in a statement. “Net defenders should use multi-factor authentication and the additional mitigations in the advisory to counter this activity.”

The full list of recommendations from the NSA are listed below:

  • Use multi-factor authentication with strong factors and require regular re-authentication[4]. Strong authentication factors are not guessable, so they would not be guessed during brute force attempts.
  • Enable time-out and lock-out features whenever password authentication is needed. Time-out features should increase in duration with additional failed login attempts. Lock-out features should temporarily disable accounts after many consecutive failed attempts. This can force slower brute force attempts, making them infeasible.
  • Some services can check passwords against common password dictionaries when users change passwords, denying many poor password choices before they are set. This makes brute-force password guessing far more difficult.
  • For protocols that support human interaction, utilize captchas to hinder automated access attempts.
  • Change all default credentials and disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Always configure access controls on cloud resources carefully to ensure that only well-maintained and well-authenticated accounts have access.
  • Employ appropriate network segmentation and restrictions to limit access and utilize additional attributes (such as device information, environment, access path) when making access decisions, with the desired state being a Zero Trust security model.
  • Use automated tools to audit access logs for security concerns and identify anomalous access requests.

In addition to the above recommendations, the NSA advises organizations to block all inbound connections from anonymization services that are not typically used in an organization, such as commercial VPN providers and TOR.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us