The Russian GRU has been running a widespread campaign for nearly two years that uses a large Kubernetes cluster to hammer public and private networks with brute-force access attempts.
The group, which is known as APT28 and Fancy Bear, is often associated with cyberespionage attacks against government agencies and technology companies and in a new joint advisory, the NSA, FBI, CISA and the UK’s NCSC warn that the group is targeting organizations running Microsoft Office 365 and other cloud services, as well as on-premises email servers. The campaign has been going on since about the middle of 2019, and the agencies said the attackers are also using exploits for a couple of known vulnerabilities in Microsoft Exchange.
“This brute force capability allows the 85th GTsSS actors to access protected data, including email, and identify valid account credentials. Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion,” the advisory says.
“The actors have used identified account credentials in conjunction with exploiting publicly known vulnerabilities, such as exploiting Microsoft Exchange servers using CVE 2020-0688 and CVE 2020-17144, for remote code execution and further access to target networks. After gaining remote access, many well-known tactics, techniques, and procedures (TTPs) are combined to move laterally, evade defenses, and collect additional information within target networks.”
“Network managers should adopt and expand usage of multi-factor authentication to help counter the effectiveness of this capability."
Brute-force campaigns like this one are quite common and there are often many separate groups running them at any given time. Cybercrime groups use brute force tactics against their targets, taking credentials from public data breach dumps and throwing them against a variety of systems. The somewhat unusual piece of the current GRU activity is the use of the Kubernetes cluster as the attack platform.
“In an attempt to obfuscate its true origin and to provide a degree of anonymity, the Kubernetes cluster normally routes brute force authentication attempts through TOR and commercial VPN services, including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN. Authentication attempts that did not use TOR or a VPN service were also occasionally delivered directly to targets from nodes in the Kubernetes cluster,” the advisory says.
The current campaign has targeted a wide range of organizations in the United States, including both government agencies and private companies. The advisory says the GRU campaign has gone after hundreds of organizations in the U.S., Europe, and other countries, including defense contractors, think tanks, energy companies, media companies, and law firms. The composition of the Kubernetes cluster used in the campaign changes over time, and the attackers are using a number of different user agent strings and protocols.
“Network managers should adopt and expand usage of multi-factor authentication to help counter the effectiveness of this capability. Additional mitigations to ensure strong access controls include time-out and lock-out features, the mandatory use of strong passwords, implementation of a Zero Trust security model that uses additional attributes when determining access, and analytics to detect anomalous accesses,” the advisory says.