The US and UK authorities have issued a new warning of state-sponsored Russian threat activity, focused on stealing information from global targets.
The new NSA, CISA, NCSC and FBI alert attributes the campaign, which has been ongoing since mid-2019, to military intelligence outfit APT28 (aka Fancy Bear, Strontium).
The threat actors use a Kubernetes cluster to conduct “distributed and large-scale targeting using password spray and password guessing”. These brute force attempts to crack credentials are routed through TOR and commercial VPN services to ensure anonymity.
These credentials are then used to provide initial access into systems and, in some cases, are used in conjunction with vulnerability exploits targeting systems, including Microsoft Exchange Server.
This enables remote code execution, privilege escalation and further access to target networks, the report claimed.
Once inside targeted networks, the attackers move laterally and gain additional credential access in order to achieve their goal.
This could be one of two things. First, attackers could be using valid credentials and web shells for persistent access to and exfiltration of data from on-premises systems. Second, attackers could be using cloud accounts with delegated permissions for persistent access and data exfiltration from Microsoft 365 email inboxes.
Hundreds of mainly US and European organizations have been targeted in this way, including those in government and military, political, energy, defense, logistics, media, law, education and non-profit sectors.
“NSA encourages Department of Defense (DoD), National Security Systems (NSS), and Defense Industrial Base (DIB) system administrators to immediately review the indicators of compromise (IOCs) included in the advisory and to apply the recommended mitigations,” the NSA urged.
“The most effective mitigation is the use of multi-factor authentication, which is not guessable during brute force access attempts.”
Time-out and lock-out features for password authentication were also recommended as well as disabling protocols that use weak authentication and applying network segmentation where appropriate.