“Rogue RDP” Attack Detection: UAC-0215 Leverages RDP Configuration Files to Gain Remote Access to Ukrainian Public Sector Computers

Adversaries frequently exploit remote management tools in their offensive campaigns, like the Remote Utilities software, which has been leveraged in cyber attacks against Ukraine, including those linked to the nefarious UAC-0050 actors. CERT-UA has issued a new alert warning defenders about an ongoing phishing email campaign against government agencies and defense sector organizations, with malicious attachments containing the Remote Desktop Protocol (RDP) configuration links as a means of gaining remote access to the targeted networks. The related adversary activity is linked to the UAC-0215 hacking group and is likely to expand its geographical scope beyond Ukraine. 

Detect “Rogue RDP” Attacks by UAC-0215 Covered in the CERT-UA#11690 Alert

Adversaries constantly improve their offensive tactics testing new malicious approaches against Ukraine and its allies. With the scope and sophistication of attacks constantly increasing, cyber defenders should be equipped with curated detection content to address potential intrusions at the earliest stages. SOC Prime Platform for collective cyber defense equips security teams with an extensive detection stack to thwart cyber attacks covered in CERT-UA alerts.

Click Explore Detections to reach the dedicated collection of Sigma rules mapped to the MITRE ATT&CK® framework, enriched with tailored intelligence, and convertible to 30+ SIEM, EDR, and Data Lake language formats. 

Explore Detections

In addition, cyber defenders can rely on Uncoder AI to instantly hunt for file, network, or host IOCs related to the UAC-0050 and UAC-0006 activity provided in the CERT-UA#11690 alert. Paste IOCs to Uncoder AI and automatically convert them into performance-optimized hunting queries ready to run in the chosen environment.

Uncoder AI for IOC conversion

“Rogue RDP” Attack Analysis 

On October 22, 2024, the CERT-UA team received information regarding the mass distribution of phishing emails among government authorities, key industrial enterprises, and military units covered in the latest CERT-UA#11690 alert. These emails involved lure topics, such as “integration” with Amazon and Microsoft services and the implementation of “Zero Trust Architecture” (ZTA).

The above-mentioned phishing emails contained configuration files with the .rdp extension as attachments. When executed, these files initiated an outbound RDP connection to the adversary server. Based on the parameters of the RDP file, the established RDP connection can not only grant access to local disks, network resources, printers, COM ports, audio devices, and the clipboard but also potentially create technical conditions for launching third-party software or scripts on the compromised computer.

CERT-UA researchers assume the current malicious activity attributed to the UAC-0215 hacking group spans a wide geographical range, based on information from related organizations in other countries.

The research indicates that the infrastructure for the ongoing adversary operation has been under preparation since at least August 2024. To mitigate the risks of “Rogue RDP” attacks, CERT-UA suggests measures such as blocking “.rdp” files at the email gateway, restricting users from launching these files, configuring firewalls to limit mstsc.exe from making RDP connections to Internet resources, and setting group policies to disable resource redirection via RDP.

By relying on SOC Prime’s complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection, global enterprises across diverse industry verticals can efficiently combat modern-day cybersecurity hurdles and reduce the attack surface with the team and security tools they have. 

MITRE ATT&CK Context

Leveraging MITRE ATT&CK gains in-depth insight into the context of the ongoing malicious campaign tracked under the UAC-0215 identifier and covered in the CERT-UA#11690 alert. Explore the table below to reach a complete list of dedicated Sigma rules that correspond to the relevant ATT&CK tactics, techniques, and sub-techniques.

The post “Rogue RDP” Attack Detection: UAC-0215 Leverages RDP Configuration Files to Gain Remote Access to Ukrainian Public Sector Computers appeared first on SOC Prime.