Cybersecurity Advisory on Brute Force Global Cyber Campaign by Russian Intelligence….

You really should read the press release and attached advisory because “sharing is caring”…

Well this seems incredibly important and significant - when you have a joint press release and it includes various government entities and our European Allies:

• Federal Bureau of Investigation (FBI),

• National Security Agency (NSA),

• Cybersecurity and Infrastructure Security Agency (CISA), and

• the UK’s National Cyber Security Centre (NCSC)

Cooperatively releasing a Cybersecurity Advisory, which exposes malicious cyber activities by Russian military intelligence against U.S. and global organizations. These activities occurred from at least mid-2019 through early 2021. Perhaps you should take a moment and read the release and report. So let’s dive in.

Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments

—provides a ton of details concerning — how the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) have continued to target hundreds of U.S. and foreign organizations by using brute force access to penetrate government and private sector victim networks.

This advisory and guidance reveals:

• tactics

• techniques

• procedures (TTPs) GTsSS actors used

In their continual and very active campaign(s) of exploiting targeted networks, access credentials, move laterally within the target network, and how these bad actors not only collect but also exfiltrate data.

Once you have a more detailed understanding of the how/what/when/where/who -specifically the bad actors playing hide and seek deep inside your network. Then this knowledge often assist various system administrators with formulating mitigation actions that they can take to counter this pernicious threat.

To better help you to understand what is a Brute Force Attack, I highly recommend you read this Cloudflare Article - it’s an excellent primer

https://www.cloudflare.com/learning/bots/brute-force-attack/

The Executive Summary - is pretty self explanatory — but for those who don’t understand the nuance of what’s detailed —it is like playing cat and mouse with a bad actor. They’ve completed mapped out your own network. They know where your blind spots are. They can see you making remediation measures. They can see you closing in on them but because they know your network better than you do they know where to hide and how to hide their digital footprints. That’s the level of sophistication at play.

Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments

Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion. The actors have used identified account credentials in conjunction with exploiting publicly known vulnerabilities, such as exploiting Microsoft Exchange servers using CVE 2020-0688 and CVE 2020-17144, for remote code execution and further access to target networks.

After gaining remote access, many well-known tactics, techniques, and procedures (TTPs) are combined to move laterally, evade defenses, and collect additional information within target networks.

Known Targets…

…already targeted hundreds of U.S. and foreign organizations worldwide, including U.S. government and Department of Defense entities. While the sum of the targeting is global in nature, the capability has predominantly focused on entities in the U.S. and Europe.

Tactics, Techniques, and Procedures TTPs

…combination of known TTPs in addition to their password spray operations to exploit target networks, access additional credentials, move laterally, and collect, stage, and exfiltrate data…used a variety of protocols, including HTTP(S), IMAP(S), POP3, and NTLM…utilized different combinations of defense evasion TTPs in an attempt to disguise some components of their operations

What that Joint Report explains to readers are how these malicious cyber actors use brute force techniques and weaponized it. Allowing them to go on to discover additional valid credentials often through extensive login attempts. The fact is some of these credentials previously leaked “usernames and passwords” or simply by guessing with variations of the most common passwords. While the brute force technique is not new…

…the GTsSS uniquely leveraged software containers to easily scale its brute force attempts…

When the malicious actors identify other valid credentials, GTsSS combined them with various publicly known vulnerabilities to gain further access into victim networks. Meaning once they are in - they are in and it’s a daunting task to extricate the malicious actors. Coupling the functionality of GTsSS with various techniques… this allowed the actors to further evade defenses and continue to collect and exfiltrate data — alarmingly this includes whole mailboxes.

Again I highly recommend you read the recently released -Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments as it’s a fascinating read and it can help IT system administrators to harden their cyber defenses.

…additional information the Joint Report cites the following resources:

• Norwegian Police Security Service (PST) “Datainnbruddet mot Stortinget er ferdig etterforsket” December 8, 2020. https://www.pst.no/alle-artikler/pressemeldinger/datainnbruddet-mot￾stortinget-er-ferdig-etterforsket/

(roughly translated to English)

The investigation shows that the player has used a procedure called password "bruteforcing" to obtain valid usernames and passwords. This technique has been used against a high number of user accounts at the Storting's e-mail systems, and has resulted in the player being able to obtain a user password, which it could in turn use to log in to a smaller number of accounts. It has been revealed that sensitive content has been extracted from some of the affected e-mail accounts.

I also recommend that you read this December 2020 thread -as it provides additional “color and contours” of the Norwegian Police Security Service December 8, 2020 press release

Øyvind Bye Skille @Byeskille

The Norwegian Police Security Service @PSTnorge investigation of the hacking of email accounts at the @Stortinget (parliament) point to APT28 / Fancy Bear. Seen as part of larger international campaign

pst.noDatainnbruddet mot Stortinget er ferdig etterforsket<p>I august 2020 ble Politiets sikkerhetstjeneste kjent med at Stortinget var rammet av en omfattende nettverksoperasjon. Stortinget politianmeldte forholdet 1. september, og Politiets sikkerhetstjeneste har gjennomf&oslash;rt en intensiv etterforskning. &nbsp;</p>

10:03 AM ∙ Dec 8, 2020

---

• Microsoft Threat Intelligence Center (MSTIC), “STRONTIUM: Detecting new patterns in credential harvesting.” September 10, 2020 https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/

• National Security Agency, “Detect and Prevent Web Shell Malware.” April 22, 2020 - https://www.nsa.gov/DesktopModules/ArticleCS/Print.aspx?PortalId=70&ModuleId=10970&Article=2159419

However I noticed that this June 2020 Joint Report was not on the list and I genuinely think it is also important to read. NSA & ASD: Detect and Prevent Web Shell Malware - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF

• National Security Agency, “Selecting Secure Multi-factor Authentication Solutions.” October 16, 2020 - See DOD Sept 2020 Advisory

• August 13, 2020 - NSA Cybersecurity Advisory: Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware

• NSA Releases Guidance on Mitigating Cloud Vulnerabilities - See DOD Jan 2020 Advisory

• NSA Issues Guidance on Zero Trust Security Model -February 2021

Comments

[Nancy P]

I just don't know how you have the stamina to compile so much data

[Candy]

Oh yeah, the more I know the sicker I become...