Cyber crews sponsored by Russia have carried out brute force hacking campaigns to steal user accounts from hundreds of government and private companies around the world, leading security agencies in the US and the UK warned in a recently published joint report.
In brute force attacks, hackers use a barrage of trial-and-error attempts to guess credentials or other network access methods to gain access to accounts.
The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Center announced that the operation, supported by the Russian General Office for Intelligence (GRU) continued for at least the last two years. Most of the attacks were aimed at US organizations, the warning says.
“From at least mid-2019 to early 2021, the 26165 military unit of the Russian General Staff, Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS), used a Kubernetes cluster to carry out widespread, distributed and anonymized brute force access attempts. “Said the agencies. The goals include the following:
- Government and military organizations
- Political advisers and party organizations
- Defense company
- Energy company
- Logistics company
- Think tanks
- Universities
- Law firms
- Media company
Brute force capabilities allow GTsSS cyber gangs to access protected data, including email, and identify valid account credentials. These credentials can be used for initial access, enable attackers to remain undetected in the network, extend permissions and circumvent cyber defense. Evil actors typically use a variety of well-known tactics, techniques, and procedures (TTPs) to gather additional information within target networks, and this group is no exception, the recommendation states.
The alert is a timely reminder to MSPs and MSSPs to provide cybersecurity training services to increase their knowledge of brute force campaigns. It comes amid escalating cyber attacks on critical US infrastructures, including the SolarWinds Orion attack, the Colonial Pipeline ransomware hijacking, and a similar incident on meat supplier JBS USA, all by US security agencies with Russian-backed agents or Russian-speaking facilities are connected.
In a recent incident – the July 2, 2021 attack on software management vendor Kaseya – President Biden said the “first mindset” is that the Russian government is not behind the infiltration, “but we are still ourselves not sure, ”reported The Hill. The attack also included previously unknown vulnerabilities in Kaseya’s VSA software. A brute force angle was not mentioned at the time of this writing.
Meanwhile, Managed Detection and Response (MDR) provider Huntress Labs told MSSP Alert that REvil and Sodinokibi, the Russia-affiliated group held responsible for the recent attack on meat producer JBS USA, are also responsible for the Kaseya offensive are responsible. Biden said he had already warned Russian President Vladimir Putin to expect a US response should Moscow be responsible for the aggression that is believed to have involved 50 to 60 Kaseya customers.
Law enforcement and security agencies, as well as the private sector, have issued a number of warnings about Russian hackers, the most prominent of which were electoral-related but now turn to ransomware, phishing, and other malware break-ins. Recently, an FBI and CISA bulletin was intended to warn US IT companies, government agencies, researchers, and policymakers about the key tactics Russian-backed hacking crews use to steal critical information. The dispatch provided actionable material on the cyber tools, objectives, techniques and capabilities of the Russian Foreign Intelligence Service (SVR) to help organizations secure their networks.
In May 2021, Microsoft’s security team announced that the Russia-backed Nobelium hackers, the same syndicate behind the SolarWinds Orion attack, had launched a malware flash not only against federal agencies but also against researchers, consultants and non-governmental organizations. The infiltration has hit approximately 3,000 email accounts in more than 150 different organizations. President Biden imposed economic sanctions on Russia following the SolarWinds hack and Moscow’s attempts to influence the US elections. With news that the same group is newly involved in Moscow’s continued cyber-espionage operations, some Democratic lawmakers are calling for more pressure on the Biden government.
The US and UK security agencies recommend the following measures to ensure strict access control:
- Use multi-factor authentication. Strong authentication factors are not guessable, so brute force attempts would not guess them.
- Enable timeout and lockout features when password authentication is required. The timeout functions should become longer with additional failed login attempts. Lockout features should temporarily disable accounts after many consecutive unsuccessful attempts.
- Some services can compare passwords with common password dictionaries, refuse many bad password choices and make brute force guessing of passwords much more difficult.
- For protocols that support human interactions, use captchas to prevent automated access attempts.
- Change any default credentials and disable protocols that use weak authentication or that do not support multi-factor authentication. Configure access controls for cloud resources to ensure that only well-maintained and well-authenticated accounts have access.
- Use appropriate network segmentation and restrictions to restrict access and use additional attributes when making access decisions to achieve a zero trust security model.
- Use automated tools to review access logs for security concerns and identify abnormal access requests.
source https://collegeeducationnewsllc.com/u-s-u-k-security-warn-of-russian-backed-brute-force-cyberattacks/
No comments:
Post a Comment