A targeted phishing campaign orchestrated by UAC-0215 has been uncovered by the Ukrainian Cyber Emergency Response Team, aimed at critical Ukrainian infrastructure such as government agencies, key industries, and military entities. The attackers used phishing emails disguised as promotions from Amazon, Microsoft, and ZTA, containing malicious .rdp files that, when opened, connected devices to servers controlled by the attackers, compromising security.
This sophisticated attack exploited compromised connections to gain unauthorized access to a wide array of local resources, including sensitive systems and devices, potentially posing a severe threat to Ukraine’s critical infrastructure. The campaign, which was detected in late October 2024 and likely began in August 2024, has been classified as a high-risk phishing operation targeting Ukraine’s critical infrastructure, including government bodies, manufacturers, and military entities.
UAC-0215, the threat actor behind the campaign, deployed a phishing strategy that used malicious RDP files disguised as legitimate documents. When these files were opened, they allowed unauthorized access to crucial Ukrainian systems, potentially jeopardizing sensitive information and operational processes. The threat posed by this campaign extends beyond Ukraine, highlighting the risk of widespread cyberattacks across various regions, especially in light of recent cyber incidents targeting Ukraine.
To combat the threat posed by UAC-0215, organizations are advised to enhance mail gateway filtering to block .rdp files and restrict user execution privileges for these file types. This proactive step can help mitigate the risk of malicious configurations and unauthorized access. Additionally, users can take measures to mitigate RDP risks by implementing a Group Policy to disable resource redirection in RDP sessions and configuring firewall rules to block outbound connections from mstsc.exe to external IP addresses, thereby preventing unauthorized remote access and reducing potential exploits.
Given the severity of the threat posed by UAC-0215’s phishing campaign, it is imperative for organizations to remain vigilant and implement robust cybersecurity measures to safeguard their networks and endpoints. The ability to detect and respond to such threats in a timely manner can be crucial in preventing unauthorized access and protecting sensitive data from falling into the wrong hands. By taking proactive steps to enhance cybersecurity defenses, organizations can effectively defend against evolving cyber threats and safeguard their critical infrastructure from malicious actors.