Malicious cyber actors use brute force techniques to discover valid credentials often through extensive login attempts, sometimes with previously leaked usernames and passwords or by guessing with variations of the most common passwords. While the brute force technique is not new, the GTsSS (85th Main Special Service Center) uniquely leveraged software containers to easily scale its brute force attempts. Once valid credentials were discovered, the GTsSS combined them with various publicly known vulnerabilities to gain further access into victim networks. This, along with various techniques allowed the actors to evade defenses and collect and exfiltrate various information in the networks, including mailboxes.
Recently, Kaseya, a well-known enterprise IT firm, is at the centre of the latest data encryption attack by REvil on its VSA product, software for remotely monitoring PCs, servers, printers, networks, and point-of-sale systems. Kaseya's VSA software had been used to spread ransomware that had encrypted "well over 1,000 businesses”. The attack exploited a zero-day or previously unknown vulnerability in Kaseya VSA. REVil has now demanded $70 million for a universal decryption tool to end the Kaseya attack. Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid. In recent years, ransomware incidents have become increasingly prevalent among the Nation’s state, local, tribal, and territorial (SLTT) government entities and critical infrastructure organizations.
The syndicates operates several fraudulent portals. The following are some of the identified phishing links, amongst others:
Members of the public are being asked to check their eligibility for the Covid-19 Survival Fund scheme and N-Power Batch-C Shortlisted Candidates for 2021, as well as click a link to apply for the CBN COVID-19 Loan by providing their account details on the portals in order to receive certain grants.
The list of Fortinet credentials was leaked for free by a threat actor known as 'Orange,' who is the administrator of the newly launched RAMP hacking forum and a previous operator of the Babuk Ransomware operation. Further analysis conducted by Advanced Intel shows that the IP addresses are for devices worldwide, with 2,959 devices located in the USA.