Good guy Russia gives enterprises, cloud platforms a free brute-force security test using Kubernetes clusters

Thanks, Vlad, for the cyber-check-up and the containerization case study


US and UK intelligence and law enforcement agencies on Thursday issued a joint cybersecurity advisory [PDF] warning that Russian military intelligence is using Kubernetes clusters cloaked by various VPN services and Tor relays to conduct brute force attacks on enterprise and cloud environments.

Kubernetes is an open source system for orchestrating the deployment and management of software containers, and is known for being overly complicated. It's used by the major US-based cloud infrastructure providers – Amazon Web Services, Google Cloud Platform, and Microsoft Azure – and by public and private sector organizations around the globe.

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and the UK’s National Cyber Security Centre (NCSC) said that since mid-2019, the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) has been spinning up Kubernetes clusters to target hundreds of US and foreign organizations via a variety of attack techniques, like the exploitation of known vulnerabilities and brute force password spraying and guessing.

"This brute force capability allows the 85th GTsSS actors to access protected data, including email, and identify valid account credentials," the advisory explains. "Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion."

The GTsSS, associated with names like Fancy Bear, APT28, and Strontium that have been bestowed by private sector security firms, is said to have focused significant attention on Microsoft Office 365 cloud services, in addition to other systems. These are the same people said to be responsible for the SolarWinds hack.

The US and UK three and four-letter agencies hope their advisory will help network administrators take steps to harden their infrastructure against the listed attack techniques. They note that the brute force authentication attempts often get routed through Tor and commercial VPN services, including CactusVPN, IPVanish , NordVPN , ProtonVPN, Surfshark, and WorldVPN, to conceal their point of origin.

The scalable nature of password spraying attacks, the NSA, CISA, FBI, and NCSC say, means that defenses based on specific indicators-of-compromise can be easily bypassed. In other words, blocking offending IP addresses isn't enough; organizations should look at disallowing all activity from inbound Tor nodes and public VPN services to Exchange servers or corporate portals if those channels are not typically used.

The US and UK agencies cite various IP addresses, User Agent strings, and YARA malware detection rules for identifying GTsSS incursions, with the proviso that attacks may exhibit different characteristics.

They recommend IT admins adopt various sensible attack mitigation techniques like multi-factor authentication, time-out and lock-out for logins, preventing weak password choices, changing or disabling default credentials, segmenting networks, and scanning access logs – all the sorts of things security-minded organizations should already be doing. ®

Broader topics


Other stories you might like

  • AMD claims its GPUs beat Nvidia on performance per dollar
    * Terms, conditions, hardware specs and software may vary – a lot

    As a slowdown in PC sales brings down prices for graphics cards, AMD is hoping to win over the market's remaining buyers with a bold, new claim that its latest Radeon cards provide better performance for the dollar than Nvidia's most recent GeForce cards.

    In an image tweeted Monday by AMD's top gaming executive, the chip designer claims its lineup of Radeon RX 6000 cards provide better performance per dollar than competing ones from Nvidia, with all but two of the ten cards listed offering advantages in the double-digit percentages. AMD also claims to provide better performance for the power required by each card in all but two of the cards.

    Continue reading
  • Google opens the pod doors on Bay View campus
    A futuristic design won't make people want to come back – just ask Apple

    After nearly a decade of planning and five years of construction, Google is cutting the ribbon on its Bay View campus, the first that Google itself designed.

    The Bay View campus in Mountain View – slated to open this week – consists of two office buildings (one of which, Charleston East, is still under construction), 20 acres of open space, a 1,000-person event center and 240 short-term accommodations for Google employees. The search giant said the buildings at Bay View total 1.1 million square feet. For reference, that's less than half the size of Apple's spaceship. 

    The roofs on the two main buildings, which look like pavilions roofed in sails, were designed that way for a purpose: They're a network of 90,000 scale-like solar panels nicknamed "dragonscales" for their layout and shimmer. By scaling the tiles, Google said the design minimises damage from wind, rain and snow, and the sloped pavilion-like roof improves solar capture by adding additional curves in the roof. 

    Continue reading
  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be fooled by a new form of relay attack.

    Discovered and tested by researchers at NCC Group, the attack allows anyone with a tool similar to NCC's to relay the Bluetooth Low Energy (BLE) signal from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, the hack lets the attacker start the car and drive away too.

    In its testing, NCC Group said it was able to perform a relay attack that allowed researchers to open a Tesla Model 3 from a home in which the vehicle's paired device was located (on the other side of the house), approximately 25 meters away.

    Continue reading

Biting the hand that feeds IT © 1998–2022