July 1, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Google Chrome Vulnerabilities
December 19, 2024Multiple D-Link Products Vulnerabilities
December 19, 2024Multiple Google Chrome Vulnerabilities
December 19, 2024Multiple D-Link Products Vulnerabilities
December 19, 2024
Severity
High
Analysis Summary
Cyberattacks using malicious Remote Desktop Protocol (RDP) configuration files have been seen to repurpose a genuine red teaming attack approach by the Russia-affiliated APT29 threat actor. The activity involves using a "rogue RDP" approach that was previously described in 2022 and has targeted governments and armed forces, think tanks, academic researchers, and Ukrainian companies.
A victim of this technique would give the attacker partial control of their computer, which might result in malware installation and data leaks. The researchers said that campaign preparations started as early as August 7-8, 2024 and that they are monitoring the threat group under Earth Koshchei. Back in October, Microsoft, Amazon Web Services (AWS), and the Computer Emergency Response Team of Ukraine (CERT-UA) also highlighted the RDP campaigns.
By tricking recipients into opening a malicious RDP configuration file that was attached to the email, the spear-phishing emails were intended to cause their computers to connect to a foreign RDP server via one of the group's 193 RDP relays. The scope of the attack was demonstrated by the estimated 200 high-profile victims that were targeted in a single day.
To reduce the chance of detection, this attack strategy involves placing an open-source project called PyRDP—which is defined as a Python-based "Monster-in-the-Middle (MitM) tool and library"—in front of the actual adversary-controlled RDP server. Therefore, the victim starts an outbound RDP connection to the PyRDP relay when they open the RDP file, nicknamed HUSTLECON, from the email message. The PyRDP relay then reroutes the session to a malicious server.
Once the connection has been made, the rogue server imitates the actions of a genuine RDP server and uses the session to do several harmful tasks. Using malicious scripts or changing the victim's computer's system settings is one of the main attack vectors. Furthermore, the attacker can access the victim's systems, manipulate files, and insert malicious payloads thanks to the PyRDP proxy server. The threat actor uses the compromised RDP session to exfiltrate credentials and other confidential information through the proxy at the end of the attack.
The noteworthy aspect of this attack is that the threat actors can operate covertly because the data collecting is made possible by a rogue configuration file rather than the need to install any unique software. Another noteworthy feature is using anonymization layers, such as TOR exit nodes, to manage the RDP servers, residential proxy providers, and commercial VPN services to gain access to the legitimate mail servers used to deliver the spear-phishing emails.
Tools such as PyRDP strengthen the attack by making it possible to intercept and modify RDP connections. PyRDP makes data exfiltration easy by automatically crawling shared disks that the victim has redirected and saving their contents locally on the attacker's computer. Over time, APT29’s espionage missions employ various techniques. In addition to closely monitoring both new and old vulnerabilities that aid them in gaining initial access, they also examine the techniques and resources that red teams create.
Impact
- Unauthorized Access
- Information Exposure
- File Manipulation
- Data Exfiltration
Indicators of Compromise
Domain Name
- gov-au.cloud
- ua-mil.cloud
- mil-ee.cloud
- defence-au.cloud
- gov-aws.cloud
- minbuza.cloud
- aws-online.cloud
- ssi-gouv-fr.cloud
- s3-nsa.cloud
- gov-trust.cloud
IP
- 185.243.114.9
- 5.187.49.186
- 103.144.139.254
- 185.177.126.225
- 195.3.220.48
- 46.30.188.187
- 45.137.21.11
- 185.172.39.230
- 66.206.13.130
- 185.187.155.69
MD5
- 7d1919aee1a8f0c5b5ba9128de7620cf
- e1d7de6979c84a2ccaa2aba993634c48
- 40f957b756096fa6b80f95334ba92034
- b38e7e8bba44bc5619b2689024ad9fca
- f58cf55b944f5942f1d120d95140b800
- db326d934e386059cc56c4e61695128e
- f7e04aab0707df0dc79f6aea577d76ea
- 48ed82f14472518251086afc26d886ea
- 3d7e2ee43faf15c1776aa0277db1c2a5
- 280ab6fa6087c57b43cd5ac6c257082c
SHA-256
- 50bed47064e4ecd01c4a9271e63af7cfdf52ea4096f205470e41eef7eb01c1e1
- 648afcc709ac18c4fe235d24bf51a8230e9700b97c3dcc0a739816966f2b58b6
- 280fbf353fdffefc5a0af40c706377142fff718c7b87bc8b0daab10849f388d0
- f357d26265a59e9c356be5a8ddb8d6533d1de222aae969c2ad4dc9c40863bfe8
- ba4d58f2c5903776fe47c92a0ec3297cc7b9c8fa16b3bf5f40b46242e7092b46
- 8b45f5a173e8e18b0d5c544f9221d7a1759847c28e62a25210ad8265f07e96d5
- 36e45fdeba3fdb3708fb1c2602c30cb5b66fbc5ea790f0716390d9f69c363542
- 2fb1d01f9859c676ef37b060c5e8db0a12472c96260114a6edee45d8546184c9
- a246253fab152deac89b895a7c1bca76498b4aa044c907559c15109c1187a448
- 1c1941b40718bf31ce190588beef9d941e217e6f64bd871f7aee921099a9d881
SHA1
- 459f030f3c7f919b9fed7e66524fd5ba20085d85
- f6fd182b93e54a3015b7d62a1a68554f9e2450e8
- 3ce3679b27921671e16c71a56696be547b5d8e3a
- 1cbbded10711c5ba005266d86932fac33354425e
- ade84908dde9e1fbed35f643b210a6e2ade1f7c7
- a5a12b20bf38f2051ef8769669f3363c56de4954
- d65f003d79910518c9ea623a19575bbd7c758eb6
- bcf469ca1f6e52ce0e93066918371c0c49d41b4b
- 894bf67c587e54b73a9623de737238de302ae23d
- 6fd8883d38ccf3413b53d1210f10f17584a61777
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Apply the latest security patches and updates to the email server software and associated components to address any vulnerabilities that may have been exploited by APT29. Also, prioritize patching known exploited vulnerabilities and zero-days.
- Perform comprehensive security audits on the email server infrastructure to identify and address any potential weaknesses. This includes reviewing server configurations, access controls, and encryption protocols to ensure they meet industry best practices.
- Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
- Enable 2FA for user accounts on the email server to add an extra layer of security. This prevents unauthorized access even if usernames and passwords are compromised.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Implement network segmentation to isolate critical systems and sensitive data from the rest of the network. This limits the lateral movement of attackers in case of a breach and reduces the impact of potential future attacks.
- Implement a regular backup strategy for email servers and critical data. Ensure that backups are stored securely and regularly tested for data restoration.