osintcorp.net
Open in
urlscan Pro
2606:4700:3037::6815:4f31
Public Scan
URL:
https://osintcorp.net/rogue-rdp-files-targeting-ukrainian-government-military/
Submission: On December 18 via api from IN — Scanned from CA
Submission: On December 18 via api from IN — Scanned from CA
Form analysis 7 forms found in the DOM
GET https://osintcorp.net/
<form method="get" id="search" action="https://osintcorp.net/">
<input id="search-input" class="is-ajax-search" inputmode="search" type="text" name="s" title="Search for" placeholder="Search for" autocomplete="off">
<button id="search-submit" type="submit">
<span class="tie-icon-search tie-search-icon" aria-hidden="true"></span>
<span class="screen-reader-text">Search for</span>
</button>
</form>POST https://osintcorp.net/wp-comments-post.php
<form action="https://osintcorp.net/wp-comments-post.php" method="post" id="commentform" class="comment-form" novalidate="">
<p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message">Required fields are marked <span class="required">*</span></span></p>
<p class="comment-form-comment"><label for="comment">Comment <span class="required">*</span></label> <textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" required=""></textarea></p>
<p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" autocomplete="name" required=""></p>
<p class="comment-form-email"><label for="email">Email <span class="required">*</span></label> <input id="email" name="email" type="email" value="" size="30" maxlength="100" aria-describedby="email-notes" autocomplete="email" required=""></p>
<p class="comment-form-url"><label for="url">Website</label> <input id="url" name="url" type="url" value="" size="30" maxlength="200" autocomplete="url"></p>
<p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes"> <label for="wp-comment-cookies-consent">Save my name, email, and website in this browser for the next time
I comment.</label></p>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post Comment"> <input type="hidden" name="comment_post_ID" value="67170" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="99f14f4a9a"></p>
<p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js"
value="1734505564917">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://osintcorp.net/
<form role="search" method="get" class="search-form" action="https://osintcorp.net/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search …" value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>GET https://osintcorp.net/
<form method="get" class="tie-popup-search-form" action="https://osintcorp.net/">
<input class="tie-popup-search-input is-ajax-search" inputmode="search" type="text" name="s" title="Search for" autocomplete="off" placeholder="Search for">
<button class="tie-popup-search-submit" type="submit">
<span class="tie-icon-search tie-search-icon" aria-hidden="true"></span>
<span class="screen-reader-text">Search for</span>
</button>
</form>Name: registerform — POST https://osintcorp.net/login-osintcorp/
<form name="registerform" action="https://osintcorp.net/login-osintcorp/" method="post">
<input type="text" name="log" title="Username" placeholder="Username">
<div class="pass-container">
<input type="password" name="pwd" title="Password" placeholder="Password">
<a class="forget-text" href="https://osintcorp.net/login-osintcorp/?action=lostpassword&redirect_to=https%3A%2F%2Fosintcorp.net">Forget?</a>
</div>
<input type="hidden" name="redirect_to" value="/rogue-rdp-files-targeting-ukrainian-government-military/">
<label for="rememberme" class="rememberme">
<input id="rememberme" name="rememberme" type="checkbox" checked="checked" value="forever"> Remember me </label>
<button type="submit" class="button fullwidth login-submit">Log In</button>
</form>POST https://osintcorp.net/wp-admin/admin-ajax.php
<form action="https://osintcorp.net/wp-admin/admin-ajax.php" method="POST" data-id="callback">
<div class="arcu-form-header text" style="background-color: #940303">
<div class="arcu-form-header-icon"></div>
<div class="arcu-form-header-content"></div>
</div>
<div class="arcu-form-group arcu-form-group-type-hidden arcu-form-group-formId"><input class="arcu-form-field arcu-field-formId" name="formId" type="hidden" id="arcu-field-callback-formId" value="callback">
<div class="arcu-form-field-errors"></div>
</div>
<div class="arcu-form-group arcu-form-group-type-hidden arcu-form-group-action"><input class="arcu-form-field arcu-field-action" name="action" type="hidden" id="arcu-field-callback-action" value="arcontactus_request_callback">
<div class="arcu-form-field-errors"></div>
</div>
<div class="arcu-form-group arcu-form-group-type-tel arcu-form-group-phone arcu-form-group-required"><input class="arcu-form-field arcu-field-phone" name="phone" type="tel" id="arcu-field-callback-phone">
<div class="arcu-form-field-errors"></div>
</div>
<div class="arcu-form-group arcu-form-button"><button class="arcu-button" id="arcu-button-undefined" type="submit" style="background-color: #940303;"></button></div><input type="hidden" id="_wpnonce" name="_wpnonce" value="4b1c57a5fa">
</form>POST https://osintcorp.net/wp-admin/admin-ajax.php
<form action="https://osintcorp.net/wp-admin/admin-ajax.php" method="POST" data-id="email">
<div class="arcu-form-header text" style="background-color: #940303">
<div class="arcu-form-header-icon"></div>
<div class="arcu-form-header-content"></div>
</div>
<div class="arcu-form-group arcu-form-group-type-hidden arcu-form-group-formId"><input class="arcu-form-field arcu-field-formId" name="formId" type="hidden" id="arcu-field-email-formId" value="email">
<div class="arcu-form-field-errors"></div>
</div>
<div class="arcu-form-group arcu-form-group-type-hidden arcu-form-group-action"><input class="arcu-form-field arcu-field-action" name="action" type="hidden" id="arcu-field-email-action" value="arcontactus_request_email">
<div class="arcu-form-field-errors"></div>
</div>
<div class="arcu-form-group arcu-form-group-type-text arcu-form-group-name"><input class="arcu-form-field arcu-field-name" name="name" type="text" id="arcu-field-email-name">
<div class="arcu-form-field-errors"></div>
</div>
<div class="arcu-form-group arcu-form-group-type-email arcu-form-group-email arcu-form-group-required"><input class="arcu-form-field arcu-field-email" name="email" type="email" id="arcu-field-email-email">
<div class="arcu-form-field-errors"></div>
</div>
<div class="arcu-form-group arcu-form-group-type-textarea arcu-form-group-message arcu-form-group-required"><textarea class="arcu-form-field arcu-field-message" name="message" type="textarea" id="arcu-field-email-message"></textarea>
<div class="arcu-form-field-errors"></div>
</div>
<div class="arcu-form-group arcu-form-group-type-checkbox arcu-form-group-gdpr arcu-form-group-required"><input class="arcu-form-field arcu-field-gdpr" name="gdpr" type="checkbox" id="arcu-field-email-gdpr">
<div class="arcu-form-field-errors"></div>
</div>
<div class="arcu-form-group arcu-form-button"><button class="arcu-button" id="arcu-button-undefined" type="submit" style="background-color: #940303;"></button></div><input type="hidden" id="_wpnonce" name="_wpnonce" value="4b1c57a5fa">
</form>Text Content
* Menu
* Search for
* Log In
Cryptocurrency Markets by TradingView
* Security
* All
* Cloud Security
* Crypto
* IoT
* Mobile
* Threat Intelligence
* Web Applications
* Cybercrime
* All
* Carding
* Darkweb
* Fraud
* Ransomware
* The Deep Web
* Hackers
* All
* Attacks
* Breaches
* Data Leaks
* Phishing
* Malware
* All
* Malware Analysis
* Threats
* Attacks
* Breaches
* Crypto
* Cloud Security
* Threat Intelligence
* Threats
Wednesday, December 18 2024
* Search for
* Facebook
* Twitter
* Telegram
* RSS
* Author’s blog
* Search by tags
Home/Malware/Rogue RDP Files Targeting Ukrainian Government, Military
MalwareSecurity
ROGUE RDP FILES TARGETING UKRAINIAN GOVERNMENT, MILITARY
24.10.2024
0 205 3 minutes read
Hackers are trying to gain remote access to Ukrainian government and military
systems leveraging Remote Desktop Protocol (RDP) configuration files, disguised
as popular network and security services. Ukrainian cyber defenders say their
investigation revealed meticulous planning that began in August and is aimed at
a wider geography.
A new wave of malicious phishing emails targeted at key sectors in Ukraine has
been observed by the Computer Emergency Response Team of Ukraine (CERT-UA).
Hackers are attempting to exploit the Remote Desktop Protocol (RDP) to gain
unauthorized access.
This campaign taps into the popularity of Amazon and Microsoft services, luring
targets with promises of integration and the adoption of “Zero Trust
Architecture” (ZTA). Attached to these phishing emails are RDP configuration
files, and if opened, they allow attackers to connect to a remote server
controlled by cybercriminals.
ATTACK MECHANISM: EXPLOITING RDP VULNERABILITIES
RDP is widely used for remote access in enterprise environments. However, in
this attack, the “.rdp” files act as the entry point for the threat actors. Once
the victim opens the file, it initiates an outbound connection to the attacker’s
server.
“Taking into account the parameters of the RDP file, during such an RDP
connection, the remote server was not only granted access to disks, network
resources, printers, COM ports, audio devices, the clipboard and other resources
on the local computer, but also allowed unauthorized running of third-party
programs/scripts on the victim’s computer,” CERT-UA said.
Attack chain of the latest campaign (Source: CERT-UA)
This type of exploitation is possible on a machine that has improperly
configured RDP settings. CERT-UA has noted that the attackers in this case are
taking advantage of these misconfigurations to infiltrate networks, gain access
to sensitive resources, and launch deeper attacks.
ALSO READ: UKRAINIAN GOVERNMENT AGENCIES HIT BY STEALTHY MESHAGENT MALWARE
CAMPAIGN
GLOBAL IMPLICATIONS
Though initially reported in Ukraine, CERT-UA has cautioned that this campaign’s
infrastructure shows signs of a wider geographical footprint. The malicious
activity dates back to August 2024, with domain names and IP addresses
associated with these attacks pointing to preparations spanning multiple
regions.
Related Articles
* EU Sanctions Russian Cyber Actors for “Destabilizing Actions”
18.12.2024
* This new cipher tech could break you out of your Gen AI woes
18.12.2024
With attackers leveraging common themes like cloud services and zero-trust
architecture, organizations worldwide could be at risk.
STRENGTHENING DEFENSES AGAINST ROGUE RDP FILES
Reducing the attack surface requires a multi-layered approach, particularly for
organizations that rely on RDP for remote access. CERT-UA has issued several
critical recommendations to help mitigate the risk of such attacks:
* Block RDP Files: Organizations should configure their mail gateways to block
“.rdp” files, preventing users from accidentally launching these malicious
configurations.
* Restrict RDP Access: Firewalls should be adjusted to restrict RDP connections
(specifically those initiated by mstsc.exe) to trusted internal resources,
preventing unauthorized connections to external servers.
* Set Group Policies: Administrators should use group policies to disable
resource redirection during RDP sessions, which attackers often exploit to
access drives, printers, and other connected peripherals.
ALSO READ: VECTORSTEALER, UNLOCKING DOORS TO RDP HIJACKING
Additionally, CERT-UA advises security teams to scrutinize network logs for any
suspicious connections on port 3389 (the default port for RDP traffic). Any
unusual outbound connections should be flagged and investigated as potential
indicators of compromise.
The activity has been assigned the identifier UAC-0215, suggesting it is part of
a known campaign or actor group. Although the specific motivations behind these
attacks are still unclear, the target selection—government agencies, industrial
sectors, and military formations—implies a high degree of coordination, likely
pointing to a nation-state or advanced persistent threat (APT) actor.
Below is a list of some Indicators of Compromise (IoCs) listed by CERT-UA:
File Hashes:
a5de73d69c1a7fbae2e71b98d48fe9b5 34c88cd591f73bc47a1a0fe2a4f594f628be98ad2366eeb4e467595115d8505a
Zero Trust Architecture Configuration.rdp
8bcb741a204c25232a11a7084aa2221f 071276e907f185d9e341d549b198e60741e2c7f8d64dd2ca2c5d88d50b2c6ffc
ZTS Device Compatibility Test.rdp
86f58115c891ce91b7364e5ff0314b31 6e6680786fa5b023cf301b6bc5faaa89c86dc34b696f4b078cf22b1b353d5d3c
Device Configuration Verification.rdp
80b3cad4f70b6ea8924aa13d2730328b 31f2cc1157248aec5135147073e49406d057bebf78b3361dd7cbb6e37708fbcc
Zero Trust Architecture Configuration.rdp
c0da30b71d58e071fc5863381444d9f0 88fd6a36e8a61597dd71755b985e5fcd0b8308b69fc0f4b0fc7960fb80018622
Device Security Requirements Check.rdp
1595266bb78dc1e3d67f929154824c74 b8327671ebc20db6f09efc4f19bd8c39d9e28c9a37bdd15b2fd62ade208d2e8a
Device Security Requirements Check.rdp
222c83d156a41735c38cc552a7084a86 a5bbb109faefcecba695a84a737f5e47fa418cea39d654bb512a6f4a0b148758
Device Configuration Verification.rdp
fa9af43e9bbb55b7512b369084d91f4d 5534cc837ba4fa3726322883449b3e97ca3e0d28c0ccf468b868397fdfa44e0b
Zero Trust Architecture Configuration.rdp
281a28800a4ba744bfde7b4aff46f24e b9ab481e7a9a92cfa2d53de8e7a3c75287cff6a3374f4202ec16ea9e03d80a0b
Zero Trust Security Environment Compliance Check.rdp
d37cd2c462af0e0643076b20c5ff561e 18a078a976734c9ec562f5dfa3f5904ef5d37000fb8c1f5bd0dc2dee47203bf9
Device Configuration Verification.rdp
e465a4191a93195094a803e5d4703a90 bb4d5a3f7a40c895882b73e1aca8c71ea40cef6c4f6732bec36e6342f6e2487a
AWS IAM Quick Start.rdp
3f753810430b26b94a172fbf816e7d76 ef4bd88ec5e8b401594b22632fd05e401658cf78de681f81409eadf93f412ebd
Device Configuration Verification.rdp
434ffae8cfc3caa370be2e69ffaa95d1 1cfe29f214d1177b66aec2b0d039fec47dd94c751fa95d34bc5da3bbab02213a
Zero Trust Security Environment Compliance Check.rdp
c287c05d91a19796b2649ebebd27394b 3a2496db64507311f5fbd3aba0228b653f673fc2152a267a1386cbab33798db5
ZTS Device Compatibility Test.rdp
aabbfd1acd3f3a2212e348f2d6f169fc 984082823dc1f122a1bb505700c25b27332f54942496814dfd0c68de0eba59dc
AWS IAM Configuration.rdp
b0a0ad4093e781a278541e4b01daa7a8 383e63f40aecdd508e1790a8b7535e41b06b3f6984bb417218ca96e554b1164b
Zero Trust Security Environment Compliance Check.rdp
a18a1cad9df5b409963601c8e30669e4 296d446cb2ad93255c45a2d4b674bbacb6d1581a94cf6bb5e54df5a742502680
Device Security Requirements Check.rdp
cbbc4903da831b6f1dc39d0c8d3fc413 129ba064dfd9981575c00419ee9df1c7711679abc974fa4086076ebc3dc964f5
ZTS Device Compatibility Test.rdp
bd711dc427e17cc724f288cc5c3b0842 f2acb92d0793d066e9414bc9e0369bd3ffa047b40720fe3bd3f2c0875d17a1cb
AWS IAM Quick Start.rdp
b38e7e8bba44bc5619b2689024ad9fca f357d26265a59e9c356be5a8ddb8d6533d1de222aae969c2ad4dc9c40863bfe8
AWS IAM Compliance Check.rdp
40f957b756096fa6b80f95334ba92034 280fbf353fdffefc5a0af40c706377142fff718c7b87bc8b0daab10849f388d0
AWS IAM Configuration.rdp
db326d934e386059cc56c4e61695128e 8b45f5a173e8e18b0d5c544f9221d7a1759847c28e62a25210ad8265f07e96d5
Zero Trust Security Environment Compliance Check.rdp
f58cf55b944f5942f1d120d95140b800 ba4d58f2c5903776fe47c92a0ec3297cc7b9c8fa16b3bf5f40b46242e7092b46
Zero Trust Security Environment Compliance Check.rdp
Source IPs:
37.153.155[.]143 (Email)
45.42.142[.]49 (Email)
45.42.142[.]89 (Email)
199.204.86[.]87 (Email)
181.215.148[.]194 (Email)
104.247.120[.]157 (Email)
204.111.198[.]27 (Email)
136.0.0[.]11 (Email)
38.180.110[.]238
179.43.148[.]82
45.11.230[.]105
45.141.58[.]60
95.217.113[.]133
185.187.155[.]74
141.195.117[.]125
185.76.79[.]178
2.58.201[.]112
89.46.234[.]115
84.32.188[.]193
38.180.146[.]210
84.32.188[.]197
45.80.193[.]9
45.67.85[.]40
45.134.111[.]123
84.32.188[.]153
62.72.7[.]213
93.188.163[.]16
23.160.56[.]122
95.156.207[.]121
84.32.188[.]148
166.0.187[.]233
185.216.72[.]196
38.180.146[.]230
84.32.188[.]200
45.11.231[.]8
162.252.175[.]233
13.49.21[.]253
179.43.163[.]18
46.19.141[.]186
193.29.59[.]9
135.181.130[.]232
45.134.110[.]83
185.187.155[.]73
23.160.56[.]100
RELATED
24.10.2024
0 205 3 minutes read
Twitter LinkedIn Pinterest Reddit VKontakte Odnoklassniki Skype Messenger
Messenger WhatsApp Telegram Viber Line Share via Email Print
Leave a Reply
LEAVE A REPLY CANCEL REPLY
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I comment.
Δ
Check Also
Close
* How CISOs can protect their personal liability
03.07.2024
* Apache Warns of Critical Vulnerability in Struts 2
12.12.2023
* Political Manipulation with Massive AI Model-driven Misinformation and
Microtargeting – Sophos News
03.10.2024
* Meta Fined €251 Million for 2018 Data Breach Impacting 29 Million Accounts
18.12.2024
* EU Sanctions Russian Cyber Actors for “Destabilizing Actions”
18.12.2024
* This new cipher tech could break you out of your Gen AI woes
18.12.2024
* Bitter APT Targets Turkish Defense Sector with WmRAT and MiyaRAT Malware
18.12.2024
* “Ratten”-Malware greift Kameras und DVR an
18.12.2024
* New Android Spyware ‘NoviSpy’ Exploited Qualcomm Zero-Days
18.12.2024
* AI on OnlyFans, and the bot that wants to be a billionaire • Graham Cluley
18.12.2024
* Even Great Companies Get Breached — Find Out Why and How to Stop It
18.12.2024
* Texas Tech University Data Breach Impacts 1.4 Million
18.12.2024
* That cheap webcam? HiatusRAT may be targeting it, FBI warns
17.12.2024
* Hacking Digital License Plates – Schneier on Security
17.12.2024
* Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware
17.12.2024
* Sophisticated TA397 Malware Targets Turkish Defense Sector
17.12.2024
* Next-gen cybercrime: The need for collaboration in 2025
17.12.2024
Show More
Advanced Persistent Threats cyber attacks cyber attacks news Cybersecurity
cybersecurity attacks cyber security attacks cybersecurity news cybersecurity
threats cyber threats daily cyber security news latest cyber attacks latest
cyber news latest cyber threats the hacker news the latest cybersecurity news
threat intel threat inteligence Threatpost
Cryptocurrency Markets by TradingView
© All rights reserved 2024
* Sitemap
* Feedback
* About
* Privacy policy
* Search by tags
* Facebook
* Twitter
* Telegram
* RSS
Back to top button
Close
Search for:
* Facebook
* Twitter
* Telegram
* RSS
Close
Search for
Close
Log In
Forget?
Remember me Log In
Don't have an account?
* My Twitter channel
* My Facebook channel
* My Telegram channel
Contact us