The United States and the United Kingdom have once again pointed to Russia. Attacks on cloud and enterprise networks are attributed to military intelligence

On 1 July, the US National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the British National Cyber Security Centre (NCSC) issued a joint security recommendation containing information on malicious activities of the Russian military intelligence service GRU, which started in 2019 and continues to this day.

The recommendation describes how the 85th Main Special Service Center, which operates under GRU and is also known as a military unit 26165 or APT28 (also known as Fancy Bear, Strontium and many other identifiers), conducted malicious activities against hundreds of organisations not only in the US but also worldwide.

They used brute force attacks to penetrate networks of government organisations as well as private companies. A significant number of malicious activities were directed at organisations using Microsoft Office 365 cloud services. However, GRU also targeted organisations using other cloud services or their own email server solutions based on the use of different protocols. The recommendation notes that GRU activities are most likely still ongoing.

Main targeted organizations included:

  • government and military organisations
  • political organisations and political parties
  • defence contractors
  • energy companies
  • logistics companies
  • think tanks
  • academic sector
  • law firms
  • media

The attacks led to penetration into the victims infrastructure. That allowed the attackers to access protected data, including other account credentials which were subsequently misused for initial access, persistence in attacked infrastructure, privilege escalation and defence evasion. Abuses of several vulnerabilities were also recorded; the most important were the vulnerabilities of Microsoft Exchange servers (CVE-2020-0688 and CVE 2020-17144), which were exploited for remote malicious code execution and further access to networks.

The security recommendation also includes indicators of compromise (IOC) to detect the presence of an attacker or a malicious code in the infrastructure. In an attempt to obfuscate their true origin, attackers used TOR [1] as well as commercial services such as CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark and WorldVPN.

The recommendation also includes IP addresses that were identified in relation to brute force attempts:

  • 173[.]40
  • 63[.]47
  • 185[.]21
  • 30[.]76
  • 250[.]89
  • 28[.]161
  • 36[.]180
  • 247[.]81
  • 125[.]42
  • 187[.]60

The reGeorg variant web shell used by GRU actors for the attacks can be identified by the following Yara rule:

rule reGeorg_Variant_Web shell {


$pageLanguage = “<%@ Page Language=\”C#\””

$obfuscationFunction = “StrTr”

$target = “target_str”

$IPcomms = “System.Net.IPEndPoint”

$addHeader = “Response.AddHeader”

$socket = “Socket”


5 of them


The recommendation also includes measures to mitigate the risk of identical or similar attacks:

  • Use multi-factor authentication with strong factors except the password. Strong authentication factors are not guessable, so they are resilient to brute force attacks.
  • Enable time-out and lock-out features in password authentication. Time-out features should increase in duration with additional failed login attempts. Lock-out features should temporarily disable accounts after many consecutive failed attempts. This can reduce brute force attempts.
  • When creating or changing passwords, disable poor or easily guessable password choices because the attackers may use services that can check passwords against common passwords or leaked passwords.
  • For protocols that support human interaction, utilize CAPTCHA.
  • Change all default login data on your devices and disable protocols that use weak authentication or do not support multi-factor authentication.
  • Always configure access controls on cloud resources carefully to ensure that only well-maintained and well-authenticated accounts have access there.
  • Employ appropriate network segmentation and access rules. Utilize a Zero Trust security model when making access decisions, it means limit access for particular roles and employees to only those that are really desired.
  • Use automated tools to audit access logs for security concerns. Identify anomalous access requests.

[1] The Onion Router – an anonymous web browsing system that obscures the user’s true location

« Späť na zoznam