Russian cybercriminal organization APT28 has been accused of multiple significant brute force attacks by the UK and US cybersecurity agencies in a joint statement, according to Security Affairs.
Authorities discovered cybercriminal activities between the middle of 2019 and the beginning of 2021 that targeted many government organizations and enterprises around the world, including energy firms, think tanks, and defense contractors.
The hackers used a Kubernetes cluster to conduct anonymous brute force attacks, and they went much further to avoid detection by employing TOR and commercial VPN services such as NordVPN, Surfshack, CactusVPN, and IPVanish.
NSA’s advisory states “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments” details how the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) has targeted hundreds of U.S. and foreign organizations using brute force access to penetrate government and private sector victim networks”.
Russian cybercriminals employed a variety of hacking techniques in their activities
The APT group primarily targeted Microsoft Office 365 online services, as well as on-premise email servers hosted by third-party service providers, according to the FBI. Experts believe that the job is still in progress.
A range of protocols, including NTLM, POP3, HTTP(S), and IMAP(S) were employed by the bad actors. They attempted to conceal their damaging behavior by using a variety of combinations of TTPs. Nonetheless, a number of detection possibilities remain open to identify malicious activity.
In certain instances, they exploited credentials that had been exposed in previous breaches or guessed a variety of the most often used passwords in order to identify valid credentials. According to an expert, the GTSS is utilizing software containers in order for its brute force attempts to be readily scaled and expanded.
After discovering the necessary credentials, the GTsSS exploited a number of publicly known vulnerabilities (including the CVE-2020-0688 and CVE-2020-17144 Microsoft Exchange vulnerabilities) to gain further access to the target networks. Through the use of networks, cybercriminals have been able to dodge cyberdefenses, acquire, and relocate information without being detected.