A large-scale spear-phishing campaign led by a foreign adversary is targeting government and IT sector systems, the Cybersecurity and Infrastructure Security Agency (CISA) warned in an Oct. 31 alert.
Stating that it has received multiple reports of the spear-phishing campaign, CISA said that a foreign threat actor has been posing as a trusted entity to send emails containing malicious remote desktop protocol (RDP) files – used to connect to remote desktops – to “targeted organizations” to access files stored on targets’ networks. CISA warned that upon gaining access, the threat actor can deploy malicious code to “achieve persistent access” to a target’s network.
“CISA, government, and industry partners are coordinating, responding, and assessing the impact of this campaign,” the agency said.
Spear-phishing targets specific organizations or people by using fake but convincing messages tailored with information of interest to the target to steal sensitive data or gain system access.
CISA recommended that public and private sector organizations do 10 things to protect themselves, including restricting outgoing RDP connections, and enabling multi-factor authentication where feasible.
In addition to restricting outbound RDP, CISA added that RDP files should be prohibited from being transmitted across email services, which can help prevent the accidental execution of malicious RDP configurations. This can also be done by implementing controls to block the execution of RDP files by users, the agency continued.
Other steps organizations and government sectors should take include deploying phishing-resistant authentication solutions, implementing conditional access authentication strength, deploying endpoint detection and response for continuous monitoring, and evaluating additional security efforts such as anti-phishing and antivirus solutions.
Educating users on how to identify and report suspicious emails is also important, CISA said, noting that “robust user education can help mitigate the threat of social engineering and phishing emails.”
Users and administrators can hunt for malicious activity using “all indicators that are released in relevant articles and reporting,” and should search for unexpected and unauthorized outbound RDP connections within the last year.
CISA added that users and administrators should “remain vigilant against spear-phishing attempts,” and asked organizations to report findings back to CISA in the event they spot those attempts.
