Kubernetes Brute forced

An advisory has been released by NSA, FBI,CISA, NCSC warning about an ongoing global campaign using brute force techniques. Campaign links to the Russian government, particularly to Russia’s General Staff Main Intelligence Directorate (GRU) against hundreds of organizations around the world, particularly in the U.S. and Europe.

The brute force technique is nothing new, GRU 85th Main Special Service Center (GTsSS) used a Kubernetes cluster to perform widespread, anonymized, and distributed brute force attacks affecting below sectors

• Government organization
• Military
• Political consultants and parties
• Law firms
• Defense contractors
• Energy
• Logistics
• Universities
• Media companies.

The campaign is believed to have begun in mid-2019, and some of the attempts were served directly from nodes in this cluster. In most cases, the attacks used Tor and various commercial VPN services.

The brute force attacks have been combined with the exploitation of known vulnerabilities, such as Microsoft Exchange flaws CVE-2020-0688 and CVE-2020-17144.

Once the attackers gain access, they spread laterally throughout the network while deploying a reGeorg web shell for persistence. They further harvest other credentials and steal files from the targeted systems. 

For obfuscation of their attacks, the Kubernetes cluster carries out brute force attacks with Tor and VPN services, such as IPVanish, CactusVPN, ProtonVPN, Surfshark, WorldVPN, and NordVPN.

The advisory has offered some recommendations, including using multi-factor authentication, enabling time-out and lock-out features for password authentication, and utilizing captchas. Additionally, users are recommended to change all default credentials and use appropriate network segmentation, restrictions, and automated tools for auditing access logs.