Posted on Leave a comment

Russian Military Hackers Hacking Methods Revealed by Government Agencies.

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and the UK’s National Cyber Security Centre (NCSC) released a Cybersecurity Advisory this week exposing the hacking activities by Russian Military agencies carried out against various global organizations including US from 2019.

GTsSS malicious cyber activity has previously been attributed by the private sector
using the names Fancy Bear, APT28, Strontium, and a variety of other identifiers.”
reads the advisory.

According to the Cyber Security advisory released by NSA, Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165 had been using the Kubernetes cluster to conduct various password spraying and bruteforce attacks targeting hundreds of Government and private sectors worldwide.

Common Targets of this Hacking attempts

Source: NSA & FBI

 “After obtaining credentials via brute force( including HTTP(S), IMAP(S), POP3, and NTLM. ), the GTsSS uses a variety of known vulnerabilities for further network access via remote code execution and lateral movement.” said by the agency.

Below are the list of vulnerabilities exploited by the Threat actor APT28 for Remote Code Execution for further intrusion inside the network:

CVE-2020-0688-Microsoft Exchange Validation Key Remote Code Execution Vulnerability.

CVE-2020-17144-Microsoft Exchange Remote Code Execution Vulnerability.

NSA has released the general recommendation on their Cyber Security Advisory, Some of the recommendations are worth noting from below points:

  • Use multi-factor authentication with strong factors and require regular reauthentication.
  • Enable time-out and lock-out features whenever password authentication is needed.
  • Some services can be checked for common password against dictionaries when users change passwords, denying many poor password choices before they are set.

Indicators of Compromise.

158.58.173[.]40
185.141.63[.]47
185.233.185[.]21
188.214.30[.]76
195.154.250[.]89

93.115.28[.]161
95.141.36[.]180
77.83.247[.]81
192.145.125[.]42
193.29.187[.]60

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply