Author: Nick Sundvall
TLP: WHITE
1. Executive Summary
On 1 July, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Cyber Security Centre (NCSC) published a joint advisory on a brute-force campaign that leverages a Kubernetes cluster to attack government and private organizations around the world.1 The advisory attributes the campaign to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), but private cybersecurity companies have also referred to the actor as Fancy Bear, APT28, or Strontium. The advisory describes the campaign as “almost certainly still ongoing” and targeting mainly users of Microsoft Office 365 Cloud services.
The campaign has been most active in the U.S. and Europe, and its main targets are government and military organizations, political parties, defense contractors, energy companies, law firms, and higher-education institutions.
2. Analysis
According to the advisory, the actor attempts to “access protected data, including email, and identify valid account credentials.” With the credentials in hand, the actor attempts to access the target’s system, maintain persistence, and escalate privileges. The actor then attempts to exploit known vulnerabilities, such as CVE 2020-0688 and CVE 2020-17144, to remotely execute code. Finally, the actor attempts to move laterally throughout the network, access more targets, establish persistent access to the new targets, and exfiltrate stolen data. The advisory details the full MITRE ATT&CK table for this campaign.
3. Prevention and Mitigation
The advisory recommends that network managers “adopt and expand usage of multi-factor authentication,” implement time-out and lock-out features for logins, and institute policies that mandate the use of strong passwords. The advisory also recommends that organizations block all incoming activity from known commercial virtual private network (VPN) services and the Onion Router (TOR). Finally, the advisory specifically recommends the following measures:
- “Use multi-factor authentication with strong factors and require regular reauthentication. Strong authentication factors are not guessable, so they would not be guessed during brute force attempts.
- Enable time-out and lock-out features whenever password authentication is needed. Time-out features should increase in duration with additional failed login attempts. Lock-out features should temporarily disable accounts after many consecutive failed attempts. This can force slower brute force attempts, making them infeasible.
- Some services can check passwords against common password dictionaries when users change passwords, denying many poor password choices before they are set. This makes brute-force password guessing far more difficult.
- For protocols that support human interaction, utilize captchas to hinder automated access attempts.
- Change all default credentials and disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Always configure access controls on cloud resources carefully to ensure that only well-maintained and well-authenticated accounts have access.
- Employ appropriate network segmentation and restrictions to limit access and utilize additional attributes (such as device information, environment, access path) when making access decisions, with the desired state being a Zero Trust security model.
- Use automated tools to audit access logs for security concerns and identify anomalous access requests.”
4. Indicators of Compromise
|
Indicator |
Description |
| 158[.]58[.]173[.]40
185[.]141[.]63[.]47 185[.]233[.]185[.]21 188[.]214[.]30[.]76 195[.]154[.]250[.]89 93[.]115[.]28[.]161 95[.]141[.]36[.]180 77[.]83[.]247[.]81 192[.]145[.]125[.]42 193[.]29[.]187[.]60 |
Kubernetes cluster IP addresses |
