Threat Research

[Cyware] Russia-Linked Brute-Force Campaign Targets EU via Microsoft Infrastructure

Cyware

European Union networks are seeing a surge of brute-force cyberattacks attributed to Russian actors leveraging Microsoft infrastructure to evade detection, dating back to May 2024. The campaign targets high-value assets across EU cities and highlights the need for stronger cloud security, MFA, and coordinated defense. #RussianCyberActors #MicrosoftInfrastructure #BruteForceCampaign #EuropeanUnion #Edinburgh #Dublin #BSNL #BhartiAirtel #FancyBear #APT28

Keypoints

  • The EU faces a surge in brute-force attacks attributed to Russian cyber actors using Microsoft infrastructure to remain undetected.
  • Attacks target administrative/high-value accounts across EU cities (e.g., Edinburgh, Dublin) with over 60% of attack IPs newly compromised.
  • Attackers abuse major ISPs (e.g., Telefonica LLC, IPX-FZCO) and leverage compromised Indian (BSNL, Bharti Airtel) and Chinese resources to widen reach.
  • Prevalent techniques include SMBv1 crawler, RDP crawler, and RDP alt port crawler, using password guessing, spraying, and stuffing to obtain valid credentials.
  • Geographic and asset impact shows Moscow-origin IPs predominating, with targeted UK cities and EU critical infrastructure like the EU Cyber Security Centre in Edinburgh.
  • Russian operations reportedly involve state-aligned or allied actors (Fancy Bear/APT28) and cross-border resource exploitation from India/China to facilitate campaigns.
  • Protective measures urged include cloud security hardening, MFA, audits, training, network segmentation, enhanced detection/response, password policies, and threat intelligence sharing.

MITRE Techniques

  • [T1110.001] Password Guessing – Used by SMBv1 crawler and RDP crawlers to exploit weak passwords. Quote: “…password guessing, password spraying, credential stuffing, and exploiting default or weak credentials.”
  • [T1110.003] Password Spraying – Part of the credential-access flow in crawlers to test common passwords across many accounts. Quote: “…password spraying, credential stuffing, and exploiting default or weak credentials.”
  • [T1110.004] Credential Stuffing – Reuse of breached credentials to gain access. Quote: “…password spraying, credential stuffing, and exploiting default or weak credentials.”
  • [T1078] Valid Accounts – Exploiting default or weak credentials to gain entry. Quote: “…exploiting default or weak credentials.”
  • [T1046] Network Service Scanning – Port scanning to discover open services during RDP Alt Port and other crawls. Quote: “Port scanning to find open ports.”
  • [T1595] Active Scanning – Automated web-page scanning to discover and index content. Quote: “Active Scanning – Automated scanning of web pages to discover and index content.”
  • [T1596] Search Open Websites/Domains – Gathering information from public-facing sites to identify weaknesses. Quote: “Search Open Websites/Domains – Gathering information from public-facing websites to find security weaknesses.”
  • [T1486] Data Encrypted for Impact – Possible usage in Bad Rabbit/Petya variant analyses. Quote: “Data Encrypted for Impact – Encrypting data to make it unavailable to the target.”
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Used in possible ransomware-like scenarios. Quote: “Command and Scripting Interpreter: Windows Command Shell – Executing malicious scripts and commands to spread ransomware.”
  • [T1090.002] Proxy: External Proxy – Mirai-like usage to proxy traffic through compromised devices. Quote: “Proxy: External Proxy – Using compromised devices to proxy traffic for hiding malicious activity.”
  • [T1003.002] OS Credential Dumping: Security Account Manager – Dumping credentials from OS accounts. Quote: “OS Credential Dumping: Security Account Manager – Extracting credentials from the system to access sensitive information.”
  • [T1592.002] Gather Victim Host Information: Hardware – Collecting hardware configuration details of targets. Quote: “Gathering information about the hardware configuration of a victim’s system.”

Indicators of Compromise

  • [IP] Moscow-origin attack IPs – 91.240.118.73, 194.26.135.68 (targeting Haslev, Denmark and Edinburgh, UK); context: EU brute-force campaign origin and targets.
  • [IP] Additional attack IPs linked to Amsterdam/Brussels – 31.43.185.3, 80.66.76.121, 194.165.16.72; context: distribution across European targets including Denmark, UK, Lithuania, and Belgium.
  • [IP] 176.111.174.60 and 176.111.174.34 – Moscow-origin; targets Budapest and Törökbálint (Hungary); context: high-volume RDP brute-force activity.
  • [IP] 185.234.216.136 – Moscow-origin; target Dublin; context: EU targets with expcourier.ru domain usage.
  • [IP] 176.111.174.60 and 176.111.174.34 – Moscow-origin; domain expcourier.ru; context: RDP brute-force activity tied to EU assets.
  • [Domain] changway.hk – associated with attack IPs; context: Chang Way Technologies Co. Limited hosting/delivery infrastructure.
  • [Domain] megaspacenet.com – linked to attack IPs; context: hosting/transfer infrastructure used in intrusions.
  • [Domain] expcourier.ru – associated with multiple Moscow-origin IPs; context: infrastructure used for access and movement.
  • [ASN] AS57523 – Chang Way Technologies Co. Limited; context: ISP infrastructure used for attack traffic.

Read more: https://heimdalsecurity.com/blog/russia-brute-force-attacks-europe

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint