{"id":6461,"date":"2021-07-06T15:48:08","date_gmt":"2021-07-06T22:48:08","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6461"},"modified":"2024-08-07T12:20:54","modified_gmt":"2024-08-07T19:20:54","slug":"fancy-bear-brute-force-attacks","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/fancy-bear-brute-force-attacks\/","title":{"rendered":"Fancy Bear Brute Force Attacks"},"content":{"rendered":"

Author: Nick Sundvall<\/h3>\n

TLP: WHITE<\/h3>\n

1. Executive Summary<\/h3>\n

On 1 July, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Cyber Security Centre (NCSC) published a joint advisory on a brute-force campaign that leverages a Kubernetes cluster to attack government and private organizations around the world.1<\/sup> The advisory attributes the campaign to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), but private cybersecurity companies have also referred to the actor as Fancy Bear, APT28, or Strontium. The advisory describes the campaign as \u201calmost certainly still ongoing\u201d and targeting mainly users of Microsoft Office 365 Cloud services.<\/p>\n

The campaign has been most active in the U.S. and Europe, and its main targets are government and military organizations, political parties, defense contractors, energy companies, law firms, and higher-education institutions.<\/p>\n

2. Analysis<\/h3>\n

According to the advisory, the actor attempts to \u201caccess protected data, including email, and identify valid account credentials.\u201d With the credentials in hand, the actor attempts to access the target\u2019s system, maintain persistence, and escalate privileges. The actor then attempts to exploit known vulnerabilities, such as CVE 2020-0688 and CVE 2020-17144, to remotely execute code. Finally, the actor attempts to move laterally throughout the network, access more targets, establish persistent access to the new targets, and exfiltrate stolen data. The advisory details the full MITRE ATT&CK table for this campaign.<\/p>\n

3. Prevention and Mitigation<\/h3>\n

The advisory recommends that network managers \u201cadopt and expand usage of multi-factor authentication,\u201d implement time-out and lock-out features for logins, and institute policies that mandate the use of strong passwords. The advisory also recommends that organizations block all incoming activity from known commercial virtual private network (VPN) services and the Onion Router (TOR). Finally, the advisory specifically recommends the following measures:<\/p>\n