CERT-UA Identifies Malicious RDP Files in Latest Attack on Ukrainian Entities
Of course, given the seriousness of CERT-UA’s alert, in view of the sophistication of the phishing attempt through the use of RDP files to compromise the systems of targeted victims. Here is a detailed breakdown of what makes this particular attack so potent and ways to mitigate it:
Key Details of the Attack
Disguise of Malicious Emails: The phishing emails were designed to make them look as though they were legitimate business correspondence about the integration of some popular services like Amazon and Microsoft, or implementation of advanced cybersecurity such as Zero Trust Architecture. This lends credibility to the emails for the recipient to open attachments.
Weaponized RDP Configuration Files: Attached to these emails are malicious .rdp files. Remote Desktop Protocol, or RDP, files are used when there is a need to configure and connect to a remote desktop session. The point is that when these .rdp files are “weaponized,” they include preset configurations to where, upon opening them, an automatic RDP session is made from the victim’s computer to the attacker’s server.
Access and Resource Control: Once the .rdp file is opened by the victim, it would trigger a connection back to the attacker-controlled server. The connection, in turn, gives excessive control to the attacker over resources of the machine that could permit them to:
- Steal sensitive information
- Install more malware
- Have internal network resources available
- Run remote commands
How Attackers Bypass Detection
This phishing method works, as it leverages a fairly trusted protocol (RDP) and uses a file type (.rdp) that may not immediately flag older antivirus systems. By surfing on the coattails of platforms like Amazon and Microsoft and by invoking ZTA, besides, the attackers are taking advantage of users’ innate trust in these brands.
Mitigation and Defense Strategy
Improved User Awareness and Training: Training across the organization regarding suspicion of any unsolicited emails, in particular, those that have attachments on security updates, integrations, or configurations, should ideally be done. The training shall include:
- How to recognize phishing emails that appear to be IT emails
- One would be aware of the common phishing file types, such as .rdp, .doc, and .exe.
- Not opening suspicious attachments or links
E-mail security considerations: Employ spam e-mail filtering solutions that scan attachments for suspicious configurations. Block, by default, e-mails containing executable files.
Limit and Monitor RDP Access: Because RDP is a common target of attackers:
- Limit RDP access to only the users that need it.
- RDP access is open only to the listed IP addresses.
- Consider the implementation of VPNs or remote access solutions that include a higher grade of security protocols. Enable multi-factor authentication: This will be quite tough for the attackers once they have managed to initialize any RDP session.
Network Traffic Monitoring: Setup notifications to identify suspicious outbound RDP connectivity, especially when this happens outside of working hours or to IP addresses unknown. Perform regular software updating and patching. Keep systems and software updated to ensure attackers cannot leverage some unpatched vulnerability in RDP or applied services. With such strategies, if an organization follows these, it can mitigate the lowest level of risk from this kind of phishing. The reinforcing of defenses against similar tactics will be improved.