Thursday, April 18, 2024

Russian APT Hackers Launched A Mass Global Brute Force Attack to Hack Enterprise & Cloud Networks

Recently, in a joint warning, the cybersecurity agencies of the US and UK have released a set of large-scale brute-force attacks escorted by the Russia-linked APT28 hacking group.

There were many other groups that have been tracked in this attack like, Fancy Bear, Pawn Storm, Sednit, Strontium, and Tsar Team. Not only this, even all these groups have attacked many organizations all over the world. 

The report of NSA pronounced that the brute force attacks that have been detected have the ability that enables the 85th GTsSS threat actors to access guarded data, that involves email, and identify valid account credentials.

Once the credentials are stolen the threat actors use all this data for different kinds of purposes, that include initial access, resolution, privilege increase, and defense evasion.

Moreover, the hackers have exploited mainly publicly known vulnerabilities like CVE 2020-0688 and CVE 2020-17144 in Microsoft Exchange to remotely execute their payloads and gain access to the targeted networks.

Sectors Targeted

According to the report, this campaign has targeted a large number of U.S. and foreign associations all over the world. The organization that has been targetted in this attack also include U.S. government and Department of Defense entities.

Here is the list of sectors targeted:-

  • Government organizations
  • Military organizations
  • Political consultants
  • Party organizations
  • Defense contractors
  • Energy companies
  • Logistics companies
  • Think tanks
  • Higher education institutions
  • Law firms
  • Media companies

While to maintain anonymity the threat actors have used several tools and services like TOR and commercial VPN services, including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN.

IP addresses

As per the report of the analyst, between November 2020 and March 2021, there are some IP addresses that has been identified as comparing to nodes in the Kubernetes cluster and here they are mentioned below:-

  • 158.58.173[.]40
  • 185.141.63[.]47
  • 185.233.185[.]21
  • 188.214.30[.]76
  • 195.154.250[.]89
  • 93.115.28[.]161
  • 95.141.36[.]180
  • 77.83.247[.]81
  • 192.145.125[.]42
  • 193.29.187[.]60

User agents

However, there are some User-Agent strings that have been remitted in the authentication requests that are inadequate or trimmed versions of legitimate User-Agent strings, that has allowed some unique detection opportunities, and here they are mentioned below:-

  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
  • Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15
  • Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7162; Pro
  • Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7166; Pro)
  • Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7143; Pro)
  • Microsoft Office/15.0 (Windows NT 6.1; Microsoft Outlook 15.0.4605; Pro)


  • Allow time-out and lock-out features whenever password authentication is required.
  • Always use automated tools to check access logs for security that concerns and recognize anomalous access offers.
  • Handle and mangar a multi-factor authentication with powerful circumstances and need constant re-authentication.
  • Use captchas to check protocols to prevent automated access attempts to promote human interaction.
  • Remember to change all default data and impair protocols that employ weak authentication or do not promote multi-factor authentication.

Apart from all this, the experts asserted that the brute force attack was directed at different companies utilizing the Microsoft 365 cloud services, not only this but the hackers also attacked other service providers, and on-premises email servers as well.


Latest articles

Palo Alto ZeroDay Exploited in The Wild Following PoC Release

Palo Alto Networks has disclosed a critical vulnerability within its PAN-OS operating system, identified...

FIN7 Hackers Attacking IT Employees Of Automotive Industry

IT employees in the automotive industry are often targeted by hackers because they have...

Russian APT44 – The Most Notorious Cyber Sabotage Group Globally

As Russia's invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS,...

SoumniBot Exploiting Android Manifest Flaws to Evade Detection

A new banker, SoumniBot, has recently been identified. It targets Korean users and is...

LeSlipFrancais Data Breach: Customers’ Personal Information Exposed

LeSlipFrancais, the renowned French underwear brand, has confirmed a data breach impacting its customer...

Cisco Hypershield: AI-Powered Hyper-Distributed Security for Data Center

Cisco has unveiled its latest innovation, Cisco Hypershield, marking a milestone in cybersecurity.This groundbreaking...

Phishing-as-a-Service Platform LabHost Seized by Authorities

Authorities have dismantled LabHost, a notorious cybercrime platform that facilitated widespread phishing attacks across...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles