2024-12-26 18:14:51 Pacfic
Earth Koshchei RDP Attacks Exploit Red Team - 8d
Earth Koshchei, also known as APT29 and Midnight Blizzard, has launched a sophisticated cyber espionage campaign exploiting Remote Desktop Protocol (RDP) servers. The threat actor employs a "rogue RDP" technique, utilizing malicious RDP configuration files delivered through spear-phishing emails. These files redirect victims’ connections through a network of 193 RDP relays, masking their traffic with VPNs, TOR, and residential proxies. This methodology, which repurposes legitimate red team tools, targets government agencies, military organizations, think tanks, academic researchers, and Ukrainian entities, allowing for potential data exfiltration and malware installation.
Trend Micro researchers highlighted that this attack does not require malware installation, relying on exploiting native RDP features. Victims unwittingly grant partial control of their machines to the attackers, who can then deploy malicious scripts, alter system settings, and exfiltrate sensitive data via a PyRDP proxy. The attacker's infrastructure included over 200 registered domain names and 34 rogue RDP servers, many of which mimicked legitimate organizations, adding to the deceptive nature of the attack. This campaign, which saw a peak on October 22nd, underscores the increasing sophistication of cyber threats and the need for robust security measures to defend against such attacks.
ImgSrc: blogger.googleusercontent.com
References:
- Cyber Security News - Earth Koshchei executed a sophisticated RDP attack involving spear-phishing emails with malicious RDP configuration files, which files redirected victims’ systems to 193 RDP relays, masking their tr - 8d
- GBHackers Security - A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has brought rogue Remote Desktop Protocol (RDP) attacks to the forefront of cybersecurity concerns. - 8d
- @VirusBulletin - Trend Micro researchers describe how Earth Koshchei's remote desktop protocol (RDP) campaign used an attack methodology involving an RDP relay, rogue RDP server, and a malicious RDP configuration file - 8d
- The Hacker News - The Russia-linked APT29 threat actor has been observed repurposing a legitimate red teaming attack methodology as part of cyber attacks leveraging malicious Remote Desktop Protocol (RDP) configuration - 8d
- Trend Micro Research, News and Perspectives - Trend Micro researchers describe how Earth Koshchei's remote desktop protocol (RDP) campaign used an attack methodology involving an RDP relay, rogue RDP server, and a malicious RDP configuration file - 8d
- Security Affairs - Russia-linked APT29 group uses malicious RDP configuration files, adapting red teaming methods for cyberattacks to compromise systems. - 7d
Classification:
- HashTags: RDP APT29 EarthKoshchei
- Company: Trend Micro
- Target: Governments, Armed forces, Think tanks, Academic researchers, Ukrainian entities
- Attacker: Earth Koshchei
- Product: RDP
- Feature: RDP exploitation
- Type: Espionage
- Severity: Major