Hackers Using Weaponized RDP Setup Files to Attack Windows Servers

A new sophisticated phishing campaign targeting government agencies, industrial enterprises, and military units in Ukraine and potentially other countries has been uncovered.

The Computer Emergency Response Team of Ukraine (CERT-UA) issued an alert on October 22, 2024, warning of the mass distribution of malicious emails containing weaponized Remote Desktop Protocol (RDP) configuration files.

The phishing emails, disguised as communications about integrating Amazon and Microsoft services and implementing Zero Trust Architecture (ZTA), contain attached .rdp files.

When opened, these files establish an outgoing RDP connection to the attackers’ server, granting extensive access to the victim’s computer resources.

Free Webinar on Protecting Websites & APIs From Cyber Attacks -> Join Here

According to CERT-UA, the malicious RDP connections not only provide access to local disks, network resources, printers, and other devices but also create conditions for executing unauthorized programs or scripts on the compromised system.

This level of access poses a severe security risk to affected organizations.

The campaign’s scope appears to extend beyond Ukraine, with security organizations in other countries reporting similar activities.

Analysis of associated domain names suggests that preparation for these cyberattacks began as early as August 2024, indicating a well-planned and potentially long-term operation.

To mitigate the threat, CERT-UA recommends several technical measures:

1. Blocking .rdp files at the email gateway
2. Preventing users from executing .rdp files (with necessary exceptions)
3. Configuring firewalls to restrict RDP connections initiated by mstsc.exe to internet resources
4. Implementing group policies to prohibit resource redirection via RDP

Security teams are advised to check network logs for interactions with this campaign’s identified IP addresses and domain names.

Additionally, CERT-UA suggests analyzing all outgoing network connections on port 3389/TCP for the current month to identify potential compromises.

This attack highlights the ongoing risks associated with RDP, a protocol that cybercriminals have increasingly exploited, especially since the rise of remote work.

Organizations are urged to review their remote access policies and implement strong security measures to protect against such sophisticated phishing attempts.

As the threat landscape continues to evolve, cybersecurity experts emphasize the importance of user education, robust email filtering, and comprehensive network monitoring to defend against these types of attacks.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here