Russian APT Hackers Launched A Mass Global Brute Force Attack to Hack Enterprise & Cloud Networks

Recently, in a joint warning, the cybersecurity agencies of the US and UK have released a set of large-scale brute-force attacks escorted by the Russia-linked APT28 hacking group.

There were many other groups that have been tracked in this attack like, Fancy Bear, Pawn Storm, Sednit, Strontium, and Tsar Team. Not only this, even all these groups have attacked many organizations all over the world. 

The report of NSA pronounced that the brute force attacks that have been detected have the ability that enables the 85th GTsSS threat actors to access guarded data, that involves email, and identify valid account credentials.

Once the credentials are stolen the threat actors use all this data for different kinds of purposes, that include initial access, resolution, privilege increase, and defense evasion.

Moreover, the hackers have exploited mainly publicly known vulnerabilities like CVE 2020-0688 and CVE 2020-17144 in Microsoft Exchange to remotely execute their payloads and gain access to the targeted networks.

Sectors Targeted

According to the report, this campaign has targeted a large number of U.S. and foreign associations all over the world. The organization that has been targetted in this attack also include U.S. government and Department of Defense entities.

Here is the list of sectors targeted:-

  • Government organizations
  • Military organizations
  • Political consultants
  • Party organizations
  • Defense contractors
  • Energy companies
  • Logistics companies
  • Think tanks
  • Higher education institutions
  • Law firms
  • Media companies

While to maintain anonymity the threat actors have used several tools and services like TOR and commercial VPN services, including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN.

IP addresses

As per the report of the analyst, between November 2020 and March 2021, there are some IP addresses that has been identified as comparing to nodes in the Kubernetes cluster and here they are mentioned below:-

  • 158.58.173[.]40
  • 185.141.63[.]47
  • 185.233.185[.]21
  • 188.214.30[.]76
  • 195.154.250[.]89
  • 93.115.28[.]161
  • 95.141.36[.]180
  • 77.83.247[.]81
  • 192.145.125[.]42
  • 193.29.187[.]60

User agents

However, there are some User-Agent strings that have been remitted in the authentication requests that are inadequate or trimmed versions of legitimate User-Agent strings, that has allowed some unique detection opportunities, and here they are mentioned below:-

  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
  • Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15
  • Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7162; Pro
  • Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7166; Pro)
  • Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7143; Pro)
  • Microsoft Office/15.0 (Windows NT 6.1; Microsoft Outlook 15.0.4605; Pro)

Mitigations

  • Allow time-out and lock-out features whenever password authentication is required.
  • Always use automated tools to check access logs for security that concerns and recognize anomalous access offers.
  • Handle and mangar a multi-factor authentication with powerful circumstances and need constant re-authentication.
  • Use captchas to check protocols to prevent automated access attempts to promote human interaction.
  • Remember to change all default data and impair protocols that employ weak authentication or do not promote multi-factor authentication.

Apart from all this, the experts asserted that the brute force attack was directed at different companies utilizing the Microsoft 365 cloud services, not only this but the hackers also attacked other service providers, and on-premises email servers as well.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

23 hours ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

23 hours ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

23 hours ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

23 hours ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

1 day ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

1 day ago