Security Intelligence
Loading table of contents...
Russia’s Foreign Intelligence Service (SVR), code named APT 29, has been observed leveraging a well-known penetration testing technique to compromise an estimated 200 victims, including governments, armed forces, think tanks, academic researchers, and Ukrainian entities.
The attack involves the delivery of a spearphishing email with an attached malicious Remote Desktop Protocol (RDP) configuration file, dubbed ‘Hustlecon’. When this file is opened by the victim, an outbound connection is established to APT 29, who can then gain control of the victim’s machine and ultimately exfiltrate data including sensitive proprietary data and credentials from the victim.
To help mask its malicious activity, APT 29 is using an open-source Python-based project called PyRDP as a proxy between the victim and APT 29’s actual RDP server. Researchers believe that APT 29 has deployed at least 193 of these PyRDP proxies, making it difficult for network defenders to block all the malicious traffic associated with this campaign.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
To help mask its malicious activity, APT 29 is using an open-source Python-based project called PyRDP as a proxy between the victim and APT 29’s actual RDP server. Researchers believe that APT 29 has deployed at least 193 of these PyRDP proxies, making it difficult for network defenders to block all the malicious traffic associated with this campaign.
Source: The Hacker News
Analysis
The abuse of RDP is a popular attack vector among nation-state and criminal cyber actors alike. Many of the ransomware cases that Field Effect’s Professional Services team helps mitigate begin with the threat actor infiltrating the network through RDP on an exposed endpoint.
APT 29’s abuse of RDP is noteworthy as it doesn’t require any malware to successfully extract data. Although in this case it facilitated malicious activity, an RDP configuration file on its own is legitimate and may not be flagged by a victim’s anti-virus software. Additionally, APT 29 takes time to ensure its spearphishing emails look professional and appear as if they are coming from legitimate senders, making them more likely to fool a prospective target.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for advanced persistent threats like APT 29. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these threats pose.
Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect encourages all organizations at risk of Russian cyber activities to block RDP connections unless there is a legitimate business need not to. Furthermore, organizations should review the U.S. Cybersecurity & Infrastructure Security Agency (CISA) ShieldsUp program, which provides robust guidance for preparing, responding to, and mitigating the impacts of Russian state-sponsored cyberattacks.
