NSA reports attacks by Russian group Fancy Bear

National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and National Cyber ​​Security Center (NCSC) have published a joint notice to report a global campaign initiated by the Fancy Bear group (also known as APT28 or Strontium and relative of Cozy Bear) in mid-2019 and still ongoing. Russian cybercriminals, linked to the Chief Information Directorate (GRU), have carried out “brute force” attacks to access the networks of government agencies and private companies. Fancy Bear: Attacks in Europe and the United States The statement states that the attacks were carried out against hundreds of targets in Europe and the United States, including the US government and the Department of Defense. Cybercriminals used a Kubernetes cluster to perform “password spray” attacks with the aim of accessing internal networks after identifying credentials using “brute force” techniques. The Fancy Bear group combined a series of techniques to access files and email with two known Microsoft Exchange vulnerabilities (CVE-2020-0688 and CVE-2020-17144) that allow you to execute arbitrary code. To achieve this goal, various protocols were used, including HTTP / HTTPS, IMAP / IMAPS, POP3 and NTLM. Cybercriminals also use various obfuscation techniques to avoid detection of attacks. Attempts to discover login credentials have been “masked” by Tor or well-known VPN services, including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN. Attacks without anonymization were carried out between November 2020 and March 2021, allowing some IP addresses of the Kubernetes cluster to be discovered. listed some security measures to be implemented to reduce risks, including changing all login credentials and using two-factor authentication.

Categories:   Security