The NSA and FBI have released documents on Russian military hackers' hacking methods.

ByShehryar Makhdoom | Published date:
russian-military-hackers-hacking-methods

According to official joint security warning from the U.K. and U.S., the Russian military intelligence has launched an ongoing brute-force attack to corporate cloud infrastructure since early 2019.

An incident was traced to the Russian Intelligence Directorate (GRU)

FireEye Mandiant, CrowdStrike, Kaspersky, and Microsoft have all uncovered this threat actor under different names, including Fancy Bear (CrowdStrike), Sofacy (Kaspersky), STRONTIUM (Microsoft), and Iron Twilight (Secureworks).

With this previous tracked inforantion, it is a virtual certainty that APT28 is actively using tools such as password spraying and brute-force login try to obtain valid secure inforamtion that could make possible upcoming inspection or intrusion operations. Microsoft stated in Nov2020 that the adversary conducted credential harvesting actions against organizations researching COVID-19 vaccinations and therapies.

The actor, this time, has shown that it has no qualms about relying on container technology to increase the number of brute-force attacks it is capable of carrying out.

CISA announced, "This campaign utilizes a Kubernetes cluster to perform brute-force login attempts against targets across the public and private sectors globally." "Following brute-force credential acquisition, the GTsSS exploits numerous known vulnerabilities to successfully spread throughout the network via remote code execution and lateral movement."

Cross-site scripting and SQL injection vulnerabilities are some of the other security flaws APT28 used to access sensitive email servers.

This vulnerability is known as CVE-2020-0688, and it would allow remote code execution on Exchange Server platforms.

A recently discovered cross-site scripting vulnerability in Microsoft Exchange is known as CVE-2020-17144.

Threat actors are also known to have used several various evasion strategies, including using Tor and commercial VPN services, such as CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN, to make brute-force authentication requests appear as legitimate traffic.

Some intelligence agencies believe the main targets of the attacks have been the U.S. and Europe, which have been particularly impacted by military and government entities, along with military contractors, energy firms, higher education, logistics firms, legal firms, media companies, political consulting firms, political parties, and think tanks.

The alert stated: "Network managers should use multi-factor authentication to assist counteract this capacity." To provide a high level of security, the company implemented new safeguards such as timed-out and lock-out features, the requirement of complex passwords, the development of a Zero Trust security model which uses additional attributes to identify privileges, and analytics that can spot unusual or anomalous access attempts.

Comment