Security Affairs
Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|
Advertisement

Ad Placeholder

Full Width × 90

APT

UK, US agencies warn of large-scale brute-force attacks carried out by Russian APT

US and UK cybersecurity agencies said the Russia-linked APT28 group is behind a series of large-scale brute-force attacks.US and UK cybersecurity agencies said today that a Russian military cyber unit has been behind a series of brute-force attacks that have targeted the cloud IT resources of government and private sector companies across the world. US […]

APT28

US and UK cybersecurity agencies said the Russia-linked APT28 group is behind a series of large-scale brute-force attacks.US and UK cybersecurity agencies said today that a Russian military cyber unit has been behind a series of brute-force attacks that have targeted the cloud IT resources of government and private sector companies across the world.

US and UK cybersecurity agencies published a joint alert about a series of large-scale brute-force conducted by the Russia-linked APT28 group.

The joint alert was published by the US National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), and the UK’s National Cyber Security Centre (NCSC).

The attacks took place between mid-2019 and early 2021, the Russia-linked threat actor used a Kubernetes cluster to conduct anonymized brute force access against hundreds of government organizations and businesses worldwide, including think tanks, defense contractors, energy firms.

The attackers remained under the radar by routing brute force attacks through the TOR network and commercial VPN services, including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN. Authentication attempts that did not use TOR or a VPN service were also occasionally delivered directly to targets from nodes in the Kubernetes cluster

The government experts attribute the attacks to Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165.

“Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments” details how the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) has targeted hundreds of U.S. and foreign organizations using brute force access to penetrate government and private sector victim networks.” reads the advisory published by the NSA.

The advisory provided details about the tactics, techniques, and procedures (TTPs) associated with GTsSS.

The APT group mainly targeted organizations using Microsoft Office 365 cloud services, along with targets using other service providers and on-premises email servers. Experts speculate the activity is still ongoing.

The attackers carried out brute force attacks to discover valid credentials, in some cases, they also used credentials leaked in past breaches or guessed with variations of the most common passwords. Expert pointed out that the GTsSS uniquely leveraged software containers to easily scale its brute force attempts.

Upon discovering valid credentials, the GTsSS exploited various publicly known vulnerabilities (Microsoft Exchange flaws CVE-2020-0688 and CVE-2020-17144) to gain further access into target networks. The nation-state actors were able to evade defenses, collect and exfiltrate various information in the networks.

“The actors used a combination of known TTPs in addition to their password spray operations to exploit target networks, access additional credentials, move laterally, and collect, stage, and exfiltrate data, as illustrated in the figure below.” reads the joint report. “The actors used a variety of protocols, including HTTP(S), IMAP(S), POP3, and NTLM. The actors also utilized different combinations of defense evasion TTPs in an attempt to disguise some components of their operations; however, many detection opportunities remain viable to identify the malicious activity.”

The report also includes indicators of compromise (IoCs) for the brute-force attacks conducted by the APT28 cyberespionage group. The document also provides Yare Rules and mitigations.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Russia)

[adrotate banner=”5″]

[adrotate banner=”13″]