Mass Global Brute Force

Recently, in a joint warning, the cybersecurity agencies of the US and UK have released a set of large-scale brute-force attacks escorted by the Russia-linked APT28 hacking group.

There were many other groups that have been tracked in this attack like, Fancy Bear, Pawn Storm, Sednit, Strontium, and Tsar Team. Not only this, even all these groups have attacked many organizations all over the world. 

The report of NSA pronounced that the brute force attacks that have been detected have the ability that enables the 85th GTsSS threat actors to access guarded data, that involves email, and identify valid account credentials.

Once the credentials are stolen the threat actors use all this data for different kinds of purposes, that include initial access, resolution, privilege increase, and defense evasion.

Moreover, the hackers have exploited mainly publicly known vulnerabilities like CVE 2020-0688 and CVE 2020-17144 in Microsoft Exchange to remotely execute their payloads and gain access to the targeted networks.

Sectors Targeted

According to the report, this campaign has targeted a large number of U.S. and foreign associations all over the world. The organization that has been targetted in this attack also include U.S. government and Department of Defense entities.

Here is the list of sectors targeted:-

  • Government organizations
  • Military organizations
  • Political consultants
  • Party organizations
  • Defense contractors
  • Energy companies
  • Logistics companies
  • Think tanks
  • Higher education institutions
  • Law firms
  • Media companies

While to maintain anonymity the threat actors have used several tools and services like TOR and commercial VPN services, including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN.

IP addresses

As per the report of the analyst, between November 2020 and March 2021, there are some IP addresses that has been identified as comparing to nodes in the Kubernetes cluster and here they are mentioned below:-

  • 158.58.173[.]40
  • 185.141.63[.]47
  • 185.233.185[.]21
  • 188.214.30[.]76
  • 195.154.250[.]89
  • 93.115.28[.]161
  • 95.141.36[.]180
  • 77.83.247[.]81
  • 192.145.125[.]42
  • 193.29.187[.]60

User agents

However, there are some User-Agent strings that have been remitted in the authentication requests that are inadequate or trimmed versions of legitimate User-Agent strings, that has allowed some unique detection opportunities, and here they are mentioned below:-

  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
  • Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15
  • Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7162; Pro
  • Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7166; Pro)
  • Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7143; Pro)
  • Microsoft Office/15.0 (Windows NT 6.1; Microsoft Outlook 15.0.4605; Pro)

Mitigations 

  • Allow time-out and lock-out features whenever password authentication is required.
  • Always use automated tools to check access logs for security that concerns and recognize anomalous access offers.
  • Handle and mangar a multi-factor authentication with powerful circumstances and need constant re-authentication.
  • Use captchas to check protocols to prevent automated access attempts to promote human interaction.
  • Remember to change all default data and impair protocols that employ weak authentication or do not promote multi-factor authentication.

Apart from all this, the experts asserted that the brute force attack was directed at different companies utilizing the Microsoft 365 cloud services, not only this but the hackers also attacked other service providers, and on-premises email servers as well.

Leave a Reply