October 26, 2024 at 12:25AM
The Computer Emergency Response Team of Ukraine (CERT-UA) warns of a malicious email campaign targeting government and military bodies, linked to the Russian hacking group APT29. These emails use fake AWS domains to deploy Remote Desktop Protocol files for unauthorized access. CERT-UA also reports multiple ongoing cyber threats against Ukraine.
### Meeting Takeaways – Cyber Attack / Threat Intelligence
**Date:** October 26, 2024
**Presenter:** Ravie Lakshmanan
1. **New Malicious Email Campaign:**
– The Computer Emergency Response Team of Ukraine (CERT-UA) has reported a campaign targeting government agencies, enterprises, and military entities through deceptive emails.
– Emails exploit popular services (e.g., Amazon, Microsoft) to trick users into executing Remote Desktop Protocol (RDP) configuration files.
2. **Threat Actor Involvement:**
– The campaign is attributed to the threat actor UAC-0215, associated with the Russian hacking group APT29.
– CERT-UA reported that infrastructure preparation for the attack began in August 2024 and is expected to expand beyond Ukraine.
3. **Details of the Attack:**
– If executed, RDP files allow threat actors remote access to compromised devices for data theft and malware installation.
– Amazon Web Services (AWS) connected the campaign to APT29 and took action to seize relevant malicious domain names.
4. **Impersonated Domains:**
– Domains used to mislead targets included variations that mimic AWS domains, such as:
– ca-west-1.mfa-gov[.]cloud
– aws-ukraine.cloud
– s3-fbi[.]cloud
– AWS clarified that they were not the targets, but rather, the goal was to obtain Windows credentials via Microsoft Remote Desktop.
5. **Additional Threat Alerts:**
– CERT-UA warned of a separate campaign (UAC-0218) involving phishing emails that deliver a harmful RAR archive containing HOMESTEEL malware, aimed at exfiltrating sensitive files.
– A ClickFix-style attack was also reported, where malicious links lead users to execute a PowerShell script for data theft.
6. **Background Context:**
– Recent attacks against Ukraine are part of a broader series of cyber offensives by Russian intelligence agencies, which have previously targeted Georgia’s infrastructure from 2017 to 2020.
7. **Recommendations:**
– Awareness of phishing schemes is critical; vigilance with email attachments and links is essential to safeguard sensitive information.
– Organizations should implement a robust cybersecurity framework, including a zero-trust architecture to mitigate such threats.
For more information and updates, follow us on Twitter and LinkedIn.