US and UK intelligence and law enforcement agencies on Thursday issued a joint cybersecurity advisory [PDF] warning that Russian military intelligence is using Kubernetes clusters cloaked by various VPN services and Tor relays to conduct brute force attacks on enterprise and cloud environments.
Kubernetes is an open source system for orchestrating the deployment and management of software containers, and is known for being overly complicated. It's used by the major US-based cloud infrastructure providers – Amazon Web Services, Google Cloud Platform, and Microsoft Azure – and by public and private sector organizations around the globe.
The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and the UK’s National Cyber Security Centre (NCSC) said that since mid-2019, the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) has been spinning up Kubernetes clusters to target hundreds of US and foreign organizations via a variety of attack techniques, like the exploitation of known vulnerabilities and brute force password spraying and guessing.
"This brute force capability allows the 85th GTsSS actors to access protected data, including email, and identify valid account credentials," the advisory explains. "Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion."
The GTsSS, associated with names like Fancy Bear, APT28, and Strontium that have been bestowed by private sector security firms, is said to have focused significant attention on Microsoft Office 365 cloud services, in addition to other systems. These are the same people said to be responsible for the SolarWinds hack.
- Do you expect me to talk? Yes, Mr Bond, I expect you to reply: 10k Brits targeted on LinkedIn by Chinese, Russian spies
- UK tells UN that nation-states should retaliate against cyber badness with no warning
- Russia botches Twitter throttling, cripples anything with t-dot-co in the name – including Reddit, Microsoft
- US courts system fears SolarWinds snafu could have let state hackers poke about in sealed case documents
The US and UK three and four-letter agencies hope their advisory will help network administrators take steps to harden their infrastructure against the listed attack techniques. They note that the brute force authentication attempts often get routed through Tor and commercial VPN services, including CactusVPN, IPVanish , NordVPN , ProtonVPN, Surfshark, and WorldVPN, to conceal their point of origin.
The scalable nature of password spraying attacks, the NSA, CISA, FBI, and NCSC say, means that defenses based on specific indicators-of-compromise can be easily bypassed. In other words, blocking offending IP addresses isn't enough; organizations should look at disallowing all activity from inbound Tor nodes and public VPN services to Exchange servers or corporate portals if those channels are not typically used.
The US and UK agencies cite various IP addresses, User Agent strings, and YARA malware detection rules for identifying GTsSS incursions, with the proviso that attacks may exhibit different characteristics.
They recommend IT admins adopt various sensible attack mitigation techniques like multi-factor authentication, time-out and lock-out for logins, preventing weak password choices, changing or disabling default credentials, segmenting networks, and scanning access logs – all the sorts of things security-minded organizations should already be doing. ®