News Insights: CISA Says Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments

The National Security Agency, along with CISA, the FBI and the National Cyber Security Centre have released the joint advisory: Russian GRU conducting global brute force campaigns to compromise enterprise and cloud environments.

News Insights:

Saryu Nayyar, CEO, Gurucul (she/her):

“A growing number of ransomware attacks against infrastructure and critical industries, especially those suspected of state sponsorship and involvement, are prompting calls for an international agreement limiting the use of such “cyber warfare” tactics. While such an agreement would be difficult to achieve, it is worthwhile for everyone to try to work toward this goal.  Ransomware and other types of cyber warfare can cause irreparable harm to critical infrastructures, and lead to an escalating level of counterattacks, even if the actual perpetrators are not clearly apparent. A key aspect of any such cyber agreement is enforcement.  Attacks aren’t easily detected early enough to prevent, and once perpetrated, leave the victim at the mercy of the attacker.  By monitoring the thousands of potential security events to identify anomalies, governments and infrastructure providers can take action to stop an attack before it causes real damage.”

Garret Grajek, CEO, YouAttest:  

“It’s heartening to know that the officials at the top of the western nations are finally taking this seriously. But one has to think that the cat is out of the bag. The malicious actors have learned that there is a high return on a low investment in international hacking. Most feel these organizations have profited so much from their ransomware attacks they have been able to buy political protection – at least up till now. Nothing has changed. The onus of cyber security is still on the enterprise – especially since most of the government proposals come in the form of fining businesses for not conducting proper cyber security practices. Enterprises should start with the basics, especially around access and the question of “who has what” – and be alerted on identity privilege changes and change attempts, which are often an unheard first alert to an attack.”

Saumitra Das, CTO and Cofounder, Blue Hexagon:

“The global brute-force campaigns by the GRU show that any weakness in an organization’s security posture will be attacked at scale. The GRU used Kubernetes to orchestrate and scale their attacks to continuously attempt initial access into organizations. This implies high level automation and semi-autonomous attack capabilities to target a wide list and then focus on where they are able to brute force in. While early attacks in March exposed their IPs, subsequent attacks have been masked using VPN and and even multi-hop VPN service to make it very hard to pinpoint where the initial attacks are coming from. This may be one of the reasons for the government takedown of DoubleVPN recently. Additionally, the group attempts to then move laterally into the network aggressively, according to CISA. The emergence of new vulnerabilities like #printnightmare last week just increases the options the attackers have to cause real damage. Organizations need to focus on detection and response because clearly current technology, configurations and the endless stream of security supply chain vulnerabilities together make it hard to prevent initial access into networks.”