NSA accuses Russian secret service of brute force attacks

The US intelligence agency NSA has accused the Russian intelligence agency GRU of carrying out brute-force attacks against networks and cloud environments of organizations worldwide. According to the NSA, the attacks have been going on since mid-2019 and have targeted hundreds of US and foreign organizations. These concerns government agencies think tanks, political parties as well as law firms, educational institutions, defense companies, energy companies, and political consultants.

When the brute force attack is successful and the attackers manage to recover valid credentials, those credentials are combined with known vulnerabilities in Microsoft Exchange (CVE 2020-0688 and CVE 2020-17144). In this way, the Exchange server can be compromised and further attacks against the underlying network are possible, the NSA said in a document about the attacks ( pdf ).

In the observed attacks, the attackers used, among other things, a compromised Office 365 service account with global administrator privileges to steal email from inboxes. In addition to e-mail, the NSA states that the attackers also loot files from shared network drives, local systems, and OWA servers. The stolen data is then packed using the WinRAR archiving program. To avoid detection, the attackers rename the WinRAR file.

The US Secret Service advises organizations to adopt multi-factor authentication, require strong passwords, implement time-out and lock-out features, use a Zero Trust security model and monitor for suspicious login attempts. In addition, organizations may consider blocking all incoming connections from known VPN services and the Tor network that differ from normal use, the NSA advises.

The US Secret Service warning also contains IP addresses and user agents used by the attackers, as well as a Yara rule that detects a web shell used by the attackers.

Previous Post Next Post