U.S. and U.K. authorities are warning that the APT28 advanced-threat actor (APT) – a.k.a. Fancy Bear or Strontium, among other names – has been using a Kubernetes cluster in a widespread campaign of brute-force password-spraying attacks against hundreds of government and private sector targets worldwide.
The joint alert (PDF) – posted on Thursday by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the U.K.’s National Cyber Security Centre (NCSC) – attributes the campaign to the APT group, which has long been suspected of having ties to the General Staff Main Intelligence Directorate (GRU) arm of Russia’s military intelligence.
The attacks have been launched since at least mid-2019 through early 2021 and are “almost certainly still ongoing,” according to the advisory.
The threat actor has targeted “a significant amount” of its activity at organizations using Microsoft Office 365 cloud services, authorities warned.
The attackers are after the passwords of people who work at sensitive jobs in hundreds of organizations worldwide, including government and military agencies in the U.S. and Europe, defense contractors, think tanks, law firms, media outlets, universities and more.
Once the threat actors get valid credentials, they’re using them for initial access, persistence, privilege escalation and defense evasion, among other things. The actors are using the passwords in conjunction with exploits of publicly known vulnerabilities, such as (CVE-2020-0688) – a vulnerability in the control panel of Microsoft’s Exchange Server – and CVE 2020-17144, also found in Exchange Server. Both these and other vulnerabilities can be used for remote code execution (RCE) and further access to target networks.
After APT28 gains remote access, it uses a slew of well-known tactics, techniques and procedures (TTPs) – including HTTP(S), IMAP(S), POP3, and NTLM (a suite of Microsoft security protocols used for authentication – in addition to Kubernetes-powered password-spraying in order to gain lateral movement, to evade defenses and to sniff out more information from the target networks.
Given how vastly different the target networks’ structures are, the actors are using an equally diverse mix of TTPs. The alert included 21 samples of known TTPs. One example is the TTPs used to exploit public-facing apps: APT28 has been tracked using the two previously mentioned bugs to gain privileged RCE on vulnerable Microsoft Exchange servers, which in some case happened after valid credentials were identified via password spray, given that exploitation of the vulnerabilities requires authentication as a valid user.
How Kubernetes Fits In
Authorities said that to obfuscate its true origin and to provide “a degree of anonymity,” the Kubernetes cluster used in these attacks normally routes brute-force authentication attempts through Tor and commercial VPN services, including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark and WorldVPN. If they’re not using Tor or a VPN, the actors are sometimes using nodes in the Kubernetes cluster.
Given the “scalable nature of the password spray-capability,” specific indicators of compromise (IOC) can be easily altered to bypass IOC-based mitigation, the advisory explained. Thus, while the advisory lists specific indicators, authorities also advised organizations to consider denying all inbound traffic from known Tor nodes and public VPN services to Exchange servers or portals that don’t normally see that kind of access.
Beyond authorities’ suggestion to consider shutting off the spigot on Tor and VPN services where that makes sense, the advisory also listed a number of standard and not-so-standard mitigations, summed up in an executive summary:
“Network managers should adopt and expand usage of multi-factor authentication to help counter the effectiveness of this capability. Additional mitigations to ensure strong access controls include time-out and lock-out features, the mandatory use of strong passwords, implementation of a Zero Trust security model that uses additional attributes when determining access, and analytics to detect anomalous accesses.”
But one expert – Tom (TJ) Jermoluk, CEO and co-founder of Beyond Identity, raised a hairy eyeball at the notion that stronger passwords can do anything to protect against password spraying, particularly when it comes on top of a concerted effort to gather valid credentials.
“Russian GRU agents and other state actors like those involved in SolarWinds – and a range of financially motivated attackers (e.g., ransomware) – all use the same ‘password spraying’ brute force techniques,” he told Threatpost in an email on Friday. “Why? Because they are so effective. Unfortunately, a misunderstanding of this technique is leading to shockingly flawed advice like that given in the NSA advisory which, in part, recommends ‘mandating the use of stronger passwords.’”
He added, “The credential-gathering that preceded the password spraying campaign most certainly collected short and strong passwords. And the Russian Kubernetes cluster used in the attack was capable of spraying ‘strong passwords.’”
The Continuing Threat
On Friday, Russia’s embassy in Washington issued a statement on Facebook in which it “categorically” rejected the allegations, noting that “We emphasize that fighting against cybercrime is an inherent priority for Russia and an integral part of its state policy to combat all forms of crime.”
Just a few of the recent campaigns attributed to Russia’s military unit:
April 2021: The NSA linked APT29 to Russia’s Foreign Intelligence Services (SVR), as the U.S. formally attributed the recent SolarWinds supply-chain attacks to the SVR and issued sanctions on Russia for cyberattacks and what President Biden called out as interference with U.S. elections.
November 2020: Microsoft reported that APT28 joined in the feeding frenzy as one of three major APTs that went after pharma and clinical organizations involved in COVID-19 research.
September 2020: Microsoft issued a warning that members of the Russian military unit were attempting to harvest Office 365 credentials in the runup to U.S. elections, targeting mainly election-related organizations. The company noted at the time that the group had attacked more than 200 organizations last year, including political campaigns, advocacy groups, parties and political consultants. Those targets included think-tanks such as The German Marshall Fund of the United States, The European People’s Party, and various U.S.-based consultants serving Republicans and Democrats.
Saying that we can’t let down our guards would be quite the understatement, according to Check Point spokesperson Ekram Ahmed: “GRU continues to be a threat that we can’t ignore,” he observed to Threatpost on Friday. “The scale, reach and pace of their operations are alarming, especially with the 2021 Summer Olympics around the corner.”
In fact, in October 2020, the U.K.’s NCSC, in a joint operation with U.S. intelligence, said that that’s exactly what was in the works, accusing Russian military intelligence services of planning a cyberattack on the Japanese-hosted Olympics, scheduled to start in three weeks on July 23 after having been postponed due to the pandemic.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.