Skip to main content

Foreign Threat Actor Conducting Large-Scale Spear-Phishing Campaign with RDP Attachments

CISA has received multiple reports of a large-scale spear-phishing campaign targeting organizations in several sectors, including government and information technology (IT). The foreign threat actor, often posing as a trusted entity, is sending spear-phishing emails containing malicious remote desktop protocol (RDP) files to targeted organizations to connect to and access files stored on the target’s network. Once access has been gained, the threat actor may pursue additional activity, such as deploying malicious code to achieve persistent access to the target’s network. 

CISA, government, and industry partners are coordinating, responding, and assessing the impact of this campaign. CISA urges organizations to take proactive measures:

  •  Restrict Outbound RDP Connections:
    • It is strongly advised that organizations forbid or significantly restrict outbound RDP connections to external or public networks. This measure is crucial for minimizing exposure to potential cyber threats.
    • Implement a Firewall along with secure policies and access control lists.
  • Block RDP Files in Communication Platforms:
    • Organizations should prohibit RDP files from being transmitted through email clients and webmail services. This step helps prevent the accidental execution of malicious RDP configurations.
  • Prevent Execution of RDP Files: 
    • Implement controls to block the execution of RDP files by users. This precaution is vital in reducing the risk of exploitation.
  • Enable Multi-Factor Authentication (MFA):
    • Multi-factor authentication must be enabled wherever feasible to provide an essential layer of security for remote access.
    • Avoid SMS MFA whenever possible.
  • Adopt Phishing-Resistant Authentication Methods:
    • Organizations are encouraged to deploy phishing-resistant authentication solutions, such as FIDO tokens. It is important to avoid SMS-based MFA, as it can be vulnerable to SIM-jacking attacks.
  • Implement Conditional Access Policies:
    • Establish Conditional Access Authentication Strength to mandate the use of phishing-resistant authentication methods. This ensures that only authorized users can access sensitive systems.
  • Deploy Endpoint Detection and Response (EDR):
    • Organizations should implement Endpoint Detection and Response (EDR) solutions to continuously monitor for and respond to suspicious activities within the network.
  • Consider Additional Security Solutions:
    • In conjunction with EDR, organizations should evaluate the deployment of antiphishing and antivirus solutions to bolster their defenses against emerging threats.
  • Conduct User Education:
    • Robust user education can help mitigate the threat of social engineering and phishing emails. Companies should have a user education program that highlights how to identify and report suspicious emails.
    • Recognize and Report Phishing: Avoid phishing with these simple tips.
  • Hunt For Activity Using Referenced Indicators and TTPs:
    • Utilize all indicators that are released in relevant articles and reporting to search for possible malicious activity within your organization’s network.
    • Search for unexpected and/or unauthorized outbound RDP connections within the last year.

CISA urges users and administrators to remain vigilant against spear-phishing attempts, hunt for any malicious activity, report positive findings to CISA, and review the following articles for more information:

About

Kenya Education Network CERT(KENET-CERT) is a Cybersecurity Emergency Response Team and Co-ordination Center operated by the National Research and Education Network of Kenya. KENET-CERT coordination center promotes awareness on cybersecurity incidences as well as coordinates and assists member institutions in responding effectively to cyber security threats and incidences. KENET-CERT works closely with Kenya's National CIRT coordination center (CIRT/CC) as a sector CIRT for the academic institutions. KENET promotes use of ICT in Teaching, Learning and Research in Higher Education Institutions in Kenya. KENET aims to interconnect all the Universities, Tertiary and Research Institutions in Kenya by setting up a cost effective and sustainable private network with high speed access to the global Internet. KENET also facilitates electronic communication among students and faculties in member institutions, share learning and teaching resources by collaboration in Research and Development of Educational content.