23 October 2024

Hackers target Ukraine with malicious emails disguised as Amazon and Microsoft integration


Hackers target Ukraine with malicious emails disguised as Amazon and Microsoft integration

The Ukrainian Computer Emergency Response Team (CERT-UA) has detected a large-scale phishing campaign targeting government bodies, key industrial enterprises, and military formations in Ukraine. The emails, masked as official communications related to “integration” with Amazon and Microsoft services, and promoting Zero Trust Architecture (ZTA) initiatives, have been part of a broader cyberattack campaign tracked under the identifier UAC-0215.

According to CERT-UA, the emails contain maliciousl attachments, specifically configuration files for Remote Desktop Protocol(".rdp" files). When executed, these files establish a direct RDP connection to servers controlled by the attackers. Once connected, the malicious servers gain access not only to the victim's local disks, network resources, printers, COM ports, audio devices, and clipboard but also potentially create technical conditions for executing additional tools or scripts on the victim's machine.

The attack's wide geographic scope has been confirmed by cybersecurity organizations in other countries, suggesting that the cyber infrastructure for this campaign has been in preparation since at least August 2024, CERT-UA said.

An analysis of associated domain names and IP addresses revealed indicators of compromise, although CERT-UA warns that some listed IP addresses and domains may not be directly related to this specific incident.

To mitigate the risks of similar attacks, CERT-UA advises organizations to implement the following technical measures:

  • Block ".rdp" files at the email gateway.

  • Restrict users' ability to execute ".rdp" files, with exceptions only for authorized use.

  • Configure firewalls to block Remote Desktop connections (mstsc.exe) to external network resources.

  • Apply group policy settings to disable resource redirection during RDP sessions ("Remote Desktop Services" -> "Remote Desktop Session Host" -> "Device and Resource Redirection" -> "Do not allow...").

Additionally, CERT-UA recommends organizations review their network logs for any signs of suspicious activity involving the listed IP addresses and domains, especially focusing on outbound connections over port 3389/tcp. Any unexplained connections should be thoroughly investigated to determine potential compromises.

Back to the list

Latest Posts

AWS and Azure authentication keys found in popular Android and iOS apps

AWS and Azure authentication keys found in popular Android and iOS apps

This issue exposes user data and app source codes to potential unauthorized access, data manipulation, and data theft.
23 October 2024
VMware releases additional updates to address recently patched critical bug

VMware releases additional updates to address recently patched critical bug

The fixes released on September 17 did not fully address CVE-2024-38812, the company said.
23 October 2024
Hackers target Ukraine with malicious emails disguised as Amazon and Microsoft integration

Hackers target Ukraine with malicious emails disguised as Amazon and Microsoft integration

The campaign, tracked under the identifier UAC-0215, has been in preparation since at least August 2024.
23 October 2024
Popular Posts
Featured vulnerabilities
Input validation error in IBM Tivoli Composite Application Manager for Application Diagnostics
Medium Patched | 23 Oct, 2024
Stored cross-site scripting in IBM InfoSphere Master Data Management
Low Patched | 23 Oct, 2024
Multiple vulnerabilities in IBM Secure External Authentication Server
Medium Patched | 23 Oct, 2024
Multiple vulnerabilities in IBM Storage Scale for IBM Elastic Storage System
Medium Patched | 23 Oct, 2024
Multiple vulnerabilities in IBM Tivoli Application Dependency Discovery Manager
Medium Patched | 23 Oct, 2024