State-sponsored actors, also known as Fancy Bear, are using Kubernetes to launch cyber-attacks
Cybersecurity agencies from the US and UK have released a joint statement condemning Russian government-backed hackers for allegedly conducting brute-force cyber-attacks against businesses and organizations worldwide.
An advisory (PDF), released by the UK National Cybersecurity Centre (NCSC), the US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI), says Russia’s intelligence agency, the GRU, has been conducting “malicious cyber activity” since at least mid-2019.
The nation-state sponsored group is tracked officially as the 85th Main Special Service Center (GTsSS) military unit 26165, but is also known as APT28, Fancy Bear, Stronium, among other monikers.
APT28 used a Kubernetes cluster to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide, the advisory claims.
Many of the organizations targeted used Microsoft cloud computing services, though those using other email clients and service providers were also attacked.
Exploiting known vulnerabilities
The group, it is claimed, used brute-force attacks to gain access to protected data and login credentials which could be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion.
It also exploited known vulnerabilities, according to the federal agencies, including bugs in Microsoft Exchange servers using (CVE 2020-0688 and CVE 2020-17144), which can enable remote code execution.
“After gaining remote access, many well-known tactics, techniques, and procedures (TTPs) are combined to move laterally, evade defenses, and collect additional information within target networks,” the report reads.
Targeted organizations include government agencies, higher education institutions, think tanks and political organizations, defense contractors, and media organizations.
The joint advisory contains more information and detailed diagrams explaining some of the TTPs employed by APT28.
To mitigate against potential attacks, the federal agencies advise to employ security measures such as multi-factor authentication on all devices, in order to reduce the risk of unauthorized access.
The advisory adds: “Additional mitigations to ensure strong access controls include time-out and lock-out features, the mandatory use of strong passwords, implementation of a Zero Trust security model that uses additional attributes when determining access, and analytics to detect anomalous accesses.
“Additionally, organizations can consider denying all inbound activity from known anonymization services, such as commercial virtual private networks (VPNs) and The Onion Router (TOR), where such access is not associated with typical use.”
‘Vital importance of MFA’
Natalie Page, Threat Intelligence Analyst at Talion, said Russia is “very much utilizing its cyber powers” to “gain intelligence on sensitive sectors that fall in line with the country’s political goals”.
Page explained: “Obtaining these passwords generates countless opportunities, giving access to extremely sensitive data unless organizations are able to make prompt password updates to those accounts believed to have been included in this compromise.
“This campaign highlights the vital importance of adopting multi-factor authentication across your organization. The use of two publicly known vulnerabilities further emphasizes the importance of timely patching management.
“Unfortunately, espionage campaigns from Russia shall not be going away any time soon.
“This is a country whose government and intelligence services have no shame in their spying efforts and have been attributed to some of the most significant attacks we have seen across the landscape.”
Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, added: “Once the account is compromised, there is no easy way to differentiate between the legitimate activities of a user and potentially legitimate, but malicious attempts to access data.
“This is precisely why security professionals have been recommending MFA solutions for years, and why restricting access rights using techniques like zero-trust networking are so powerful.”