ClickCease Russian APT Hackers Launch RDP Attacks On High-Value Victims - TuxCare

Table of Contents

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Russian APT Hackers Launch RDP Attacks On High-Value Victims

by Wajahat Raja

December 30, 2024 - TuxCare expert team

As per recent media reports, Russian APT hackers have been observed using remote desktop protocol (RDP) files to target high-value victims. Experts claim that a red teaming attack methodology has been repurposed to carry out these cyberattacks. In this article, we’ll dive into the details of the red teaming methodology, the cyberattacks, and the mitigation protocols that can be used for reducing risk exposure. Let’s begin! 

Russian APT Hackers Attack: Initial Discovery 

Experts at Trend Micro, a cybersecurity firm, believe that an advanced persistent threat (APT) group, which they track as, Earth Koshchei, has used a rogue remote desktop protocol (RDP) attack technique while going after various targets. They believe that the malicious initiative likely occurred in October 2024. 

It’s worth noting that the Russian APT hackers affiliated with the attack are also known as APT29 and Midnight Blizzard. The rogue RDP technique used by threat actors is fundamentally based on an RDP relay, a rough RDP server, and malicious configuration files. Hackers who succeed with the technique can gain partial control over the victims’ machines. 

The maliciously acquired control is exploited further for data theft and leakage and malware installation. Trend Micro experts have noted that the Russian APT hackers reached the peak of their operations on October 22. At that time, spear-phishing emails were sent to various high-value targets that include:  

  • Think tanks.
  • Government and armed forces. 
  • Academic researchers.
  • Other Ukrainian targets.

Before diving into the details of the attacks and the targets, it’s worth noting that the emails Russian APT hackers sent were designed to device recipients into using a rogue RDP configuration file. This file, when opened, would instruct the target computer to try and connect with a foreign RDP server using relays the hacker had established. 

While modern organizations do have security measures in place to block outgoing RDP connections, the Russian APT hackers would likely succeed with the initiative in cases where targets were working from low-security home office environments. Providing further insights, experts have stated that: 

“In the attack setup, it is also possible to use a non-standard port for the RDP relay, thus avoiding firewall rules. We believe that the spear-phishing email wave was preceded by earlier, very targeted and barely audible campaigns that ended abruptly with a final loud bang on October 22.”

The preparation for this Russian APT hackers attack campaign is likely to have originated in August 7th to August 8th. It’s believed that during these dates, the hackers began registering domains with names suggesting they were to be used in an attack. 

While a majority of these domains suggested key targets to be ones with relations to the Australian and Ukrainian governments, the last of them was meant to target an organization having ties with the Ministry of Foreign Affairs of the Netherlands. 

Red Teaming And Targeted RDP Attacks 

Those keen on ensuring protection must know that red teaming basically provides tools and testing methodologies that organizations need to strengthen their cybersecurity measures. Online criminals like the Russian APT threat actors pay close attention to the security protocols that are being developed so they manipulate them for malicious use. 

These security techniques can include protocols limiting outgoing RDP connections. After investigation, experts believed that one of the RDP configuration files was sent to an academic researcher in Europe and its specified remote contact was “eu-south-2-aws[.]zero-trust[.]solutions.”

While the hostname of the file indicates a genuine Amazon Web Services (AWS) server, it is believed that the server was controlled by the Russian APT hackers. Providing further insights about the file, security experts have stated that:  

“The configuration redirects all local drives, printers, COM ports, smart cards, and clipboards, allowing remote access to the victim’s local machine. Obviously, this can be exploited for data exfiltration. After a successful connection is established, a remote application called AWS Secure Storage Connection Stability Test v24091285697854 is executed.”

RDP Attack Sequence

It’s worth mentioning here that Trend Micro stated that when the analysis was conducted, the remote servers were down and the actions that were to be executed by the remote application could not be checked. Such attacks are initiated when the rogue file begins to establish a connection with a foreign server. From this point, the attack proceeds as follows:  

Stage  Details 
Intercepting The Connection  In this stage of the attack, Russian APT hackers use the PyRDP which acts as an MITM proxy that intercepts the connection request. During the interception, the victim’s connection request is relayed over to a hacker-controlled server. 

Such a technique allows the hacker to pose a legitimate entity which helps them hijack the session. It also allows online criminals like the Russian APT hackers to have complete visibility and control over all communications pertaining to the victim and the RDP environment. 

Session Exploitation  Once the rouge connection has been developed, a primary attack vector deploys malicious scripts or alters system settings. As these actions are being implemented, the rogue server mimics the behavior of a legitimate one. 

In addition, the PyRDP proxy helps Russian APT hackers gain access to the victims’ files. Other actions hackers can perform include:  

  • Browsing directories. 
  • Reading or modifying files. 
  • Injecting malicious payloads. 
Data Exfiltration  In the final stage of the attack, hackers often resort to data exfiltration. During such malicious, the compromised session is utilized to extract various types of data that may include: 

  • Passwords. 
  • Configuration files. 
  • Proprietary data.
  • Etc. 

The PyRDP, initially used to intercept the connection, ensures that acts such as data exfiltration and command execution are carried out without putting the victim on alert. 

For such attacks, online criminals, such as the Russian APT hackers, could use tools like RogueRDP. These tools ensure that the creation process of RDP files is automated as it facilitates the initiation of compromised sessions. 

 

Such an attack technique emphasizes the dangers associated with using MITM in RDP environments and is a stark reminder that organizations must deploy robust security measures. 

Attack Timeline And Targeted High-Value Victims 

As far as the attack timeline is concerned, cybersecurity experts believe that the Russian APT hackers had set up over 200 malicious domains. Out of these, 193 are believed to have been utilized in the RDP campaign. 

In addition, the domain names were set up in batches and on weekdays. Providing further insights pertaining to the domains, experts stated that: 

“In August 2024, the registered domain names suggested targeting against governments and military in Europe, US, Japan, Ukraine and Australia. At the end of this month, domain names were registered that look to be related to cloud providers and IT companies. Then, in September 2024, there were batches of domain names that appeared to be based on several think [tanks] and non-profit organizations. There were also several domain names related to online virtual platforms like Zoom, Google Meet, and Microsoft Teams.” 

In addition, experts believe that the backend rouge RDP servers most likely used in the attacks were set up from September 26th to October 20th and were used in data exfiltration from October 18th to 21st. Reports claim that the targets of these particular attacks were in the military and one of the targets was a cloud provider. 

Given the severe consequences of such attacks, security experts recommend that organizations strictly limit or eliminate outbound RDP connections to untrusted servers. In addition, sending RDP configuration files via email is also a practice that should be prohibited to mitigate risk and ensure protection. 

Conclusion 

The Russian APT hackers’ exploitation of rogue RDP files highlights the urgent need for robust cybersecurity measures. Organizations must enforce strict outbound RDP restrictions, monitor server connections, and educate teams on phishing tactics. By staying proactive, potential victims can limit these sophisticated attacks and safeguard their critical data and operations.

The sources for this piece include articles in The Hacker News and Trend Micro.

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?