Russian APT Hackers Launched A Mass Global Brute Force Attack to Hack Enterprise & Cloud Networks

Recently, in a joint warning, the cybersecurity agencies of the US and UK have released a set of large-scale brute-force attacks escorted by the Russia-linked APT28 hacking group.

There were many other groups that have been tracked in this attack like, Fancy Bear, Pawn Storm, Sednit, Strontium, and Tsar Team. Not only this, even all these groups have attacked many organizations all over the world. 

The report of NSA pronounced that the brute force attacks that have been detected have the ability that enables the 85th GTsSS threat actors to access guarded data, that involves email, and identify valid account credentials.

Once the credentials are stolen the threat actors use all this data for different kinds of purposes, that include initial access, resolution, privilege increase, and defense evasion.

Moreover, the hackers have exploited mainly publicly known vulnerabilities like CVE 2020-0688 and CVE 2020-17144 in Microsoft Exchange to remotely execute their payloads and gain access to the targeted networks.

Sectors Targeted

According to the report, this campaign has targeted a large number of U.S. and foreign associations all over the world. The organization that has been targetted in this attack also include U.S. government and Department of Defense entities.

Here is the list of sectors targeted:-

  • Government organizations
  • Military organizations
  • Political consultants
  • Party organizations
  • Defense contractors
  • Energy companies
  • Logistics companies
  • Think tanks
  • Higher education institutions
  • Law firms
  • Media companies

While to maintain anonymity the threat actors have used several tools and services like TOR and commercial VPN services, including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN.

IP addresses

As per the report of the analyst, between November 2020 and March 2021, there are some IP addresses that has been identified as comparing to nodes in the Kubernetes cluster and here they are mentioned below:-

  • 158.58.173[.]40
  • 185.141.63[.]47
  • 185.233.185[.]21
  • 188.214.30[.]76
  • 195.154.250[.]89
  • 93.115.28[.]161
  • 95.141.36[.]180
  • 77.83.247[.]81
  • 192.145.125[.]42
  • 193.29.187[.]60

User agents

However, there are some User-Agent strings that have been remitted in the authentication requests that are inadequate or trimmed versions of legitimate User-Agent strings, that has allowed some unique detection opportunities, and here they are mentioned below:-

  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
  • Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15
  • Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7162; Pro
  • Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7166; Pro)
  • Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7143; Pro)
  • Microsoft Office/15.0 (Windows NT 6.1; Microsoft Outlook 15.0.4605; Pro)

Mitigations

  • Allow time-out and lock-out features whenever password authentication is required.
  • Always use automated tools to check access logs for security that concerns and recognize anomalous access offers.
  • Handle and mangar a multi-factor authentication with powerful circumstances and need constant re-authentication.
  • Use captchas to check protocols to prevent automated access attempts to promote human interaction.
  • Remember to change all default data and impair protocols that employ weak authentication or do not promote multi-factor authentication.

Apart from all this, the experts asserted that the brute force attack was directed at different companies utilizing the Microsoft 365 cloud services, not only this but the hackers also attacked other service providers, and on-premises email servers as well.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

IT Worker from Computacenter Let Girlfriend Into Deutsche Bank’s Restricted Areas

A former information technology manager has filed a whistleblower lawsuit alleging a major security breach…

43 minutes ago

NSO Group Ordered to Pay $168 Million to WhatsApp in US Spyware Verdict

A federal jury in California has ordered Israeli spyware maker NSO Group to pay approximately…

2 hours ago

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations, particularly…

16 hours ago

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search Service…

16 hours ago

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider, has…

16 hours ago

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800 compromised…

16 hours ago