NSA (National Security Agency), CISA (Cybersecurity and Infrastructure Security Agency), FBI, UK security agencies have released a security advisory on the malicious exploitation activities by Russian military hackers against the US and other global organizations. And experts suspect that this activity is active since mid-2019 and still going on.
Russian military hackers attacking the targets using distributed and anonymized brute force access attempts against multiple government and private sectors as a target worldwide. And it is confirmed that attacks have been linked to the hacking group using the name Fancy Bear, APT28, and Strontium.
Threat actors used by the Russian hackers used identified account credentials y exploiting the known vulnerabilities, Microsoft Exchange server using CVE 2020-0688 and CVE 2020-17144, for remote code execution and target the networks. Once the exploitation is successful with multiple TTP are combined to evade the detection and lateral movement within the targeted networks.
TTPs used in this Campaign
The attack used multiple combinations of TTPs to exploit the target networks, few threat actors include HTTPS, IMAP(S), POP3, and NTLM.
Targets of this Campaign
As per the security agencies, the Russian hackers have already targeted hundreds of the US and foreign organizations worldwide,
And officials also confirmed that the attack remained obfuscated under the anonymity which attempts the brute force attacks using commercial VPN services such as, CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN.
Indicators of Compromise (IoC)
IP address
- 158.58.173[.]40185.141.63[.]47
- 185.233.185[.]21
- 188.214.30[.]76
- 195.154.250[.]89
- 93.115.28[.]161
- 95.141.36[.]180
- 77.83.247[.]81
- 192.145.125[.]42
- 193.29.187[.]60
Detailed adversary released by Security officials can be found here.