New Alert From CISA- Beware of Spear-Phishing Emails With Malicious RDP Files

CISA – Cybersecurity and Infrastructure Security Agency recently published an article alerting government and tech sectors of a new phishing email being circulated in the community. This is a large-scale spear-phishing campaign targeting various sectors, including government and IT. The attackers are posing as trusted entities and sending emails with malicious Remote Desktop Protocol (RDP) files. These files allow the attackers to access and control the target’s network, potentially deploying harmful code to maintain access. 

Attackers are sending spear-phishing emails with malicious RDP files. In order to access the RDP file, you are entering in your IP Address and Username and often saving the file on your desktop. Once these files are executed, attackers can access and control the network, leading to further malicious activities. Because the file remains on your desktop it can be accessed at anytime leading to stolen data.

Here are some actionable items to use in your business to prevent access to a hacker:

1. Restrict Outbound RDP Connections:
   • Block or significantly limit outbound RDP connections to external networks.
   • Implement firewalls with secure policies and access control lists.
2. Block RDP Files in Communication Platforms:
   • Prevent RDP files from being sent through email and webmail services.
   • Block the execution of RDP files by users.
3. Enable Multi-Factor Authentication (MFA):
   • Use MFA wherever possible to add an extra layer of security.
   • Avoid SMS-based MFA due to its vulnerability to SIM-jacking.
4. Adopt Phishing-Resistant Authentication Methods:
   • Deploy solutions like FIDO (Fast Identity Online) Authentication tokens to resist phishing attacks.
   • Implement Conditional Access Policies to ensure only authorized users access sensitive systems.
5. Deploy Endpoint Detection and Response (EDR):
   • Use EDR solutions to monitor and respond to suspicious activities and run reports frequently
   • Consider additional security measures like anti-phishing and antivirus solutions. And zero-trust applications and policies.
6. Conduct User Education:
   • Educate users on identifying and reporting phishing emails.
   • Promote awareness of simple tips to avoid phishing.
   • Create a safe reporting environment.
7. Hunt for Malicious Activity:
   • Use indicators from relevant articles to search for malicious activity within your network.
   • Check for unexpected or unauthorized outbound RDP connections over the past year.
     
     

Please report any suspicious activity immediately! Attitude IT urges users and administrators to remain vigilant against spear-phishing attempts, hunt for any malicious activity, report positive findings to Attitude IT, and review the following articles for more information:

• Recognize and Report Phishing: Avoid phishing with these simple tips
• Microsoft: Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files
• AWS Security: Amazon identified internet domains abused by APT29
• The Centre for Cybersecurity Belgium: Warning: Government-themed Phishing with RDP Attachments
• Computer Emergency Response Team of Ukraine: RDP configuration files as a means of obtaining remote access to a computer or "Rogue RDP"

If you have any questions or need assistance, please do not hesitate to reach out to our team!