You are here

Threat Awareness – APT Conducts Large-Scale Spear-Phishing Campaign with RDP Attachments

Threat Awareness – APT Conducts Large-Scale Spear-Phishing Campaign with RDP Attachments

Created: Tuesday, November 5, 2024 - 14:12
Categories:
Cybersecurity, Federal & State Resources, Security Preparedness

Last week, Microsoft warned of a spear-phishing threat by the Russian state-backed threat group known as Midnight Blizzard or APT29. “Since October 22, 2024, Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors” reads Microsoft’s threat blog. The campaign is described as being large-scale and using RDP attachments.

On Thursday last week, CISA warned of the same threat and, like Microsoft, included mitigations and suggestions to help strengthen defenses. WaterISAC is sharing this for member awareness of active threats by pro-Russia threat actors, who have targeted water utilities in recent months as highlighted in WaterISAC’s Quarterly Incident Report for Q1 2024. See recommended mitigations below. For more information, access CISA.

Additional Resources:

Recommended mitigations:

Restrict Outbound RDP Connections:

  • Forbid or significantly restrict outbound RDP connections to external or public networks. This measure is crucial for minimizing exposure to potential cyber threats.
  • Implement a Firewall along with secure policies and access control lists.

Block RDP Files in Communication Platforms:

  • Prohibit RDP files from being transmitted through email clients and webmail services. This step helps prevent the accidental execution of malicious RDP configurations.

Prevent Execution of RDP Files: 

  • Implement controls to block the execution of RDP files by users. This precaution is vital in reducing the risk of exploitation.

Enable Multi-Factor Authentication (MFA):

  • Enable MFA wherever feasible to provide an essential layer of security for remote access.
  • Avoid SMS MFA whenever possible.

Adopt Phishing-Resistant Authentication Methods:

  • Deploy phishing-resistant authentication solutions, such as FIDO tokens. It is important to avoid SMS-based MFA, as it can be vulnerable to SIM-jacking attacks.

Implement Conditional Access Policies:

  • Establish Conditional Access Authentication Strength to mandate the use of phishing-resistant authentication methods. This ensures that only authorized users can access sensitive systems.

Deploy Endpoint Detection and Response (EDR):

  • Implement Endpoint Detection and Response (EDR) solutions to continuously monitor for and respond to suspicious activities within the network.

Consider Additional Security Solutions:

  • Evaluate, in conjunction with EDR, the deployment of anti-phishing and antivirus solutions to bolster their defenses against emerging threats.

Conduct User Education:

  • Have a user education program that highlights how to identify and report suspicious emails. Robust user education can help mitigate the threat of social engineering and phishing emails.
  • Recognize and Report Phishing: Avoid phishing with these simple tips.

Hunt For Activity Using Referenced Indicators and TTPs:

  • Utilize all indicators that are released in relevant articles and reporting to search for possible malicious activity within your organization’s network.
  • Search for unexpected and/or unauthorized outbound RDP connections within the last year.