Hackers have been identified attempting to access the systems of the Ukrainian government and military through a sophisticated scheme involving the exploitation of Remote Desktop Protocol (RDP) configuration files. The cyber defenders in Ukraine have uncovered a meticulously planned operation that commenced in August, with intentions to target a broader geographic scope. The Computer Emergency Response Team of Ukraine (CERT-UA) has observed a surge in malicious phishing emails aimed at critical sectors within Ukraine. These malicious actors are utilizing RDP to gain unauthorized entry into systems.
The hackers are employing a tactic that disguises RDP configuration files as Amazon and Microsoft services to entice victims with promises of integrating Zero Trust Architecture. Once these phishing emails are opened, the attached RDP configuration files allow attackers to establish a connection to a remote server under their control.
The attack mechanism specifically exploits vulnerabilities within RDP, a commonly used tool for remote access in business settings. The malicious “.rdp” files serve as the entry point for threat actors, establishing an outbound connection to the attacker’s server once opened. This connection grants unauthorized access to various resources on the victim’s computer, including the execution of third-party programs and scripts.
Furthermore, the hackers are taking advantage of inadequately configured RDP settings on targeted machines to facilitate network infiltration and obtain access to sensitive information. The campaign’s infrastructure exhibits indications of extending beyond Ukraine, suggesting a global reach with preparations spanning multiple regions since August 2024. Organizations worldwide are advised to be vigilant as attackers use familiar themes like cloud services and zero-trust architecture to exploit vulnerabilities.
To mitigate the risks associated with rogue RDP files, organizations are recommended to implement a multi-layered defense approach. CERT-UA suggests blocking “.rdp” files at mail gateways, restricting RDP connections to trusted resources, and utilizing group policies to disable resource redirection during RDP sessions. Security teams are urged to monitor network logs for any suspicious outbound connections on port 3389, the default RDP traffic port.
The activity has been classified as UAC-0215, indicating potential association with a known campaign or actor group. While the specific motives behind these attacks remain unclear, the deliberate targeting of government agencies, industrial sectors, and military entities signifies a coordinated effort typical of nation-state or advanced persistent threat (APT) actors.
CERT-UA has provided a list of Indicators of Compromise (IoCs) to aid in identifying potential threats, including file hashes and source IP addresses associated with the malicious activity. By staying informed and implementing recommended security measures, organizations can enhance their defenses against cyber threats exploiting RDP vulnerabilities.