Saturday, February 15, 2025
HomeCyber AttackRussian APT Hackers Launched A Mass Global Brute Force Attack to Hack...

Russian APT Hackers Launched A Mass Global Brute Force Attack to Hack Enterprise & Cloud Networks

Published on

SIEM as a Service

Follow Us on Google News

Recently, in a joint warning, the cybersecurity agencies of the US and UK have released a set of large-scale brute-force attacks escorted by the Russia-linked APT28 hacking group.

There were many other groups that have been tracked in this attack like, Fancy Bear, Pawn Storm, Sednit, Strontium, and Tsar Team. Not only this, even all these groups have attacked many organizations all over the world. 

The report of NSA pronounced that the brute force attacks that have been detected have the ability that enables the 85th GTsSS threat actors to access guarded data, that involves email, and identify valid account credentials.

Once the credentials are stolen the threat actors use all this data for different kinds of purposes, that include initial access, resolution, privilege increase, and defense evasion.

Moreover, the hackers have exploited mainly publicly known vulnerabilities like CVE 2020-0688 and CVE 2020-17144 in Microsoft Exchange to remotely execute their payloads and gain access to the targeted networks.

Sectors Targeted

According to the report, this campaign has targeted a large number of U.S. and foreign associations all over the world. The organization that has been targetted in this attack also include U.S. government and Department of Defense entities.

Here is the list of sectors targeted:-

  • Government organizations
  • Military organizations
  • Political consultants
  • Party organizations
  • Defense contractors
  • Energy companies
  • Logistics companies
  • Think tanks
  • Higher education institutions
  • Law firms
  • Media companies

While to maintain anonymity the threat actors have used several tools and services like TOR and commercial VPN services, including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN.

IP addresses

As per the report of the analyst, between November 2020 and March 2021, there are some IP addresses that has been identified as comparing to nodes in the Kubernetes cluster and here they are mentioned below:-

  • 158.58.173[.]40
  • 185.141.63[.]47
  • 185.233.185[.]21
  • 188.214.30[.]76
  • 195.154.250[.]89
  • 93.115.28[.]161
  • 95.141.36[.]180
  • 77.83.247[.]81
  • 192.145.125[.]42
  • 193.29.187[.]60

User agents

However, there are some User-Agent strings that have been remitted in the authentication requests that are inadequate or trimmed versions of legitimate User-Agent strings, that has allowed some unique detection opportunities, and here they are mentioned below:-

  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
  • Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15
  • Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7162; Pro
  • Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7166; Pro)
  • Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7143; Pro)
  • Microsoft Office/15.0 (Windows NT 6.1; Microsoft Outlook 15.0.4605; Pro)

Mitigations 

  • Allow time-out and lock-out features whenever password authentication is required.
  • Always use automated tools to check access logs for security that concerns and recognize anomalous access offers.
  • Handle and mangar a multi-factor authentication with powerful circumstances and need constant re-authentication.
  • Use captchas to check protocols to prevent automated access attempts to promote human interaction.
  • Remember to change all default data and impair protocols that employ weak authentication or do not promote multi-factor authentication.

Apart from all this, the experts asserted that the brute force attack was directed at different companies utilizing the Microsoft 365 cloud services, not only this but the hackers also attacked other service providers, and on-premises email servers as well.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...

North Korean IT Workers Penetrate Global Firms to Install System Backdoors

In a concerning escalation of cyber threats, North Korean IT operatives have infiltrated global...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...