CISA: Foreign Threat Actor Conducting Large-Scale Spear-Phishing Campaign with RDP Attachments

CISA has received multiple reports of a large-scale spear-phishing campaign targeting organizations in several sectors, including government and information technology (IT). The foreign threat actor, often posing as a trusted entity, is sending spear-phishing emails containing malicious remote desktop protocol (RDP) files to targeted organizations to connect to and access files stored on the target’s network. Once access has been gained, the threat actor may pursue additional activity, such as deploying malicious code to achieve persistent access to the target’s network. 

CISA, government, and industry partners are coordinating, responding, and assessing the impact of this campaign. CISA urges organizations to take proactive measures:

•  Restrict Outbound RDP Connections:
  • It is strongly advised that organizations forbid or significantly restrict outbound RDP connections to external or public networks. This measure is crucial for minimizing exposure to potential cyber threats.
  • Implement a Firewall along with secure policies and access control lists.
• Block RDP Files in Communication Platforms:
  • Organizations should prohibit RDP files from being transmitted through email clients and webmail services. This step helps prevent the accidental execution of malicious RDP configurations.
• Prevent Execution of RDP Files: 
  • Implement controls to block the execution of RDP files by users. This precaution is vital in reducing the risk of exploitation.
• Enable Multi-Factor Authentication (MFA):
  • Multi-factor authentication must be enabled wherever feasible to provide an essential layer of security for remote access.
  • Avoid SMS MFA whenever possible.
• Adopt Phishing-Resistant Authentication Methods:
  • Organizations are encouraged to deploy phishing-resistant authentication solutions, such as FIDO tokens. It is important to avoid SMS-based MFA, as it can be vulnerable to SIM-jacking attacks.
• Implement Conditional Access Policies:
  • Establish Conditional Access Authentication Strength to mandate the use of phishing-resistant authentication methods. This ensures that only authorized users can access sensitive systems.
• Deploy Endpoint Detection and Response (EDR):
  • Organizations should implement Endpoint Detection and Response (EDR) solutions to continuously monitor for and respond to suspicious activities within the network.
• Consider Additional Security Solutions:
  • In conjunction with EDR, organizations should evaluate the deployment of antiphishing and antivirus solutions to bolster their defenses against emerging threats.
• Conduct User Education:
  • Robust user education can help mitigate the threat of social engineering and phishing emails. Companies should have a user education program that highlights how to identify and report suspicious emails.
  • Recognize and Report Phishing: Avoid phishing with these simple tips.
• Hunt For Activity Using Referenced Indicators and TTPs:
  • Utilize all indicators that are released in relevant articles and reporting to search for possible malicious activity within your organization’s network.
  • Search for unexpected and/or unauthorized outbound RDP connections within the last year.

CISA urges users and administrators to remain vigilant against spear-phishing attempts, hunt for any malicious activity, report positive findings to CISA, and review the following articles for more information:

• Microsoft: Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files
• AWS Security: Amazon identified internet domains abused by APT29
• The Centre for Cybersecurity Belgium: Warning: Government-themed Phishing with RDP Attachments
• Computer Emergency Response Team of Ukraine: RDP configuration files as a means of obtaining remote access to a computer or “Rogue RDP”