Introduction
On October 22, 2024, Ukraine’s national cybersecurity team, CERT-UA, issued a critical alert regarding a widespread phishing campaign targeting governmental bodies, key industrial sectors, and military organizations. The campaign’s attackers are exploiting interest in “integration” with major service providers such as Amazon and Microsoft, as well as Zero Trust Architecture (ZTA) principles, to lure recipients into opening malicious email attachments.
Overview of the Attack
Emails masquerading as official documents or integration notices with reputable platforms, including Amazon and Microsoft, contain attachments with Remote Desktop Protocol (RDP) configuration files (.rdp). These attachments, when opened, connect victims’ devices to a malicious server, allowing attackers remote access to sensitive resources on the victims’ computers.
The RDP files are configured to automatically establish a direct connection to the attacker’s server, potentially granting access not only to files, network shares, printers, and COM ports but also to more sensitive areas such as audio devices and the clipboard. This exposure creates the ideal conditions for attackers to inject unauthorized software or scripts into the victim’s system.
International Scope and Preparation Timeline
CERT-UA notes that this threat appears to be part of a broader international campaign, and similar patterns have been observed by cybersecurity agencies in other countries. Based on domain-related intelligence, CERT-UA suspects that the attackers began establishing their attack infrastructure as early as August 2024, indicating meticulous planning.
However, CERT-UA advises caution with regard to the IP addresses and domain names associated with these attacks, acknowledging that some indicators may not directly relate to this specific incident.
Mitigation Measures
To reduce the risk of exposure and protect systems from such RDP-based attacks, CERT-UA has recommended several proactive security measures:
- Email Gateway Protections: Implement blocking for “.rdp” files at the email gateway to prevent such files from reaching end-users.
- User Restrictions on RDP Files: Disable user permissions to open “.rdp” files unless exceptions are granted for specific, approved applications.
- Firewall Adjustments for RDP Connections: Restrict RDP connections (particularly those initiated by mstsc.exe) from establishing internet-based connections.
- Group Policy Configurations: Enforce group policy settings to block device and resource redirection in RDP sessions, preventing access to local computer resources via RDP.
Incident Monitoring and Analysis Recommendations
CERT-UA emphasizes the importance of monitoring network interaction logs, particularly focusing on IP addresses and domain names associated with these recent threats. Analysts should examine network logs for the entire month to assess the legitimacy of all outbound connections to IP addresses over port 3389/tcp, commonly used for RDP traffic.
Tracking and Reporting
The specific identifier for this attack, UAC-0215, will be used to continue tracking and studying this campaign as it evolves. Organizations are encouraged to report any related incidents or indicators to CERT-UA for further investigation.
Conclusion
The recent CERT-UA alert underscores the need for organizations to adopt multi-layered defenses and closely monitor for suspicious activity, particularly as cybercriminals continue to use sophisticated techniques to compromise critical infrastructure. By implementing CERT-UA’s recommended controls and staying informed on evolving threat patterns, organizations can significantly reduce their exposure to these types of cyber threats