AlertsAPT Actor Brute Force Campaign (International Partners)

Number: AL21-012
Date: 02 July 2021

AUDIENCE

This Alert is intended for IT professionals and managers of notified organizations.

PURPOSE

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

OVERVIEW

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), the UK’s National Cyber Security Centre (NCSC), and Federal Bureau of Investigation (FBI) issued a Joint Cybersecurity Advisory [1] detailing a global brute force campaign to compromise enterprise and cloud environments by advanced persistent threat (APT) actors.

ASSESSMENT

On 01 July 2021, the NSA, CISA, NCSC, and FBI issued a Joint Cybersecurity Advisory [1], drawing attention to an active campaign being carried out to gain access to enterprise and cloud environments of government and private sector targets.

The campaign leverages brute force techniques for access attempts against targeted organizations. Upon obtaining credentials, the APT exploits various other known vulnerabilities to gain further access and move laterally through the target network [2]. The Joint Advisory states that the credentials are used for various malicious purposes.

The Cybersecurity Advisory highlights the following vulnerabilities being exploited once credentials had been obtained, however other publicly known vulnerabilities or techniques may be in use:

  • CVE 2020-0688 Microsoft Exchange [3]
  • CVE 2020-17144 Microsoft Exchange [4]

The Cyber Centre is highlighting this Advisory, as it provides important information to system owners and operators responsible for defending their systems and networks from cyber threats.

There are software updates and mitigations for the vulnerabilities described above. See past reporting by the Cyber Centre and partners for more details.

Should activity matching the content of this Alert be discovered, recipients are encouraged to report via the My Cyber Portal (https://cyber.gc.ca/en/incident-management), contact the Cyber Centre by email (contact@cyber.gc.ca), or by telephone (1-833-CYBER-88 or 1-833-292-3788).

REFERENCES

[1] APT Actors Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments (NSA/CISA/NCSC/FBI)
https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF

[2] NSA-CISA-NCSC-FBI Joint Cybersecurity Advisory on APT Brute Force Campaign
https://us-cert.cisa.gov/ncas/current-activity/2021/07/01/nsa-cisa-ncsc-fbi-joint-cybersecurity-advisory-russian-gru-brute

[3] Microsoft Exchange Validation Key Remote Code Execution Vulnerability
https://www.cyber.gc.ca/en/alerts/microsoft-exchange-validation-key-remote-code-execution-vulnerability

[4] Microsoft Security Advisory – December 2020 Monthly Rollup
https://www.cyber.gc.ca/en/alerts/microsoft-security-advisory-december-2020-monthly-rollup

NOTE TO READERS

The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.

 

 

Date modified: