- Restrict Outbound RDP Connections
- It is strongly advised that organizations forbid or significantly restrict outbound RDP connections to external or public networks. This measure is crucial for minimizing exposure to potential cyber threats.
- Implement a Firewall along with secure policies and access control lists.
- Block RDP Files in Communication Platforms
- Organizations should prohibit RDP files from being transmitted through email clients and webmail services. This step helps prevent the accidental execution of malicious RDP configurations.
- Prevent Execution of RDP Files
- Implement controls to block the execution of RDP files by users. This precaution is vital in reducing the risk of exploitation.
- Enable Multi-Factor Authentication (MFA)
- Multi-factor authentication must be enabled wherever feasible to provide an essential layer of security for remote access.
- Avoid SMS MFA whenever possible.
- Adopt Phishing-Resistant Authentication Methods
- Organizations are encouraged to deploy phishing-resistant authentication solutions, such as FIDO tokens. It is important to avoid SMS-based MFA, as it can be vulnerable to SIM-jacking attacks.
- Implement Conditional Access Policies
- Establish Conditional Access Authentication Strength to mandate the use of phishing-resistant authentication methods. This ensures that only authorized users can access sensitive systems.
- Deploy Endpoint Detection and Response (EDR)
- Organizations should implement EDR solutions to continuously monitor for and respond to suspicious activities within the network.
- Consider Additional Security Solutions
- In conjunction with EDR, organizations should evaluate the deployment of antiphishing and antivirus solutions to bolster their defenses against emerging threats.
- Conduct User Education
- Robust user education can help mitigate the threat of social engineering and phishing emails. Companies should have a user education program that highlights how to identify and report suspicious emails.
- Recognize and Report Phishing: Avoid phishing with these simple tips.
- Hunt For Activity Using Referenced Indicators and TTPs
- Utilize all indicators that are released in relevant articles and reporting to search for possible malicious activity within your organization’s network.
- Search for unexpected and/or unauthorized outbound RDP connections within the last year.
- Microsoft: Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files
- AWS Security: Amazon identified internet domains abused by APT29
- The Centre for Cybersecurity Belgium: Warning: Government-themed Phishing with RDP Attachments
- Computer Emergency Response Team of Ukraine: RDP configuration files as a means of obtaining remote access to a computer or "Rogue RDP"
Reporting
The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form at www.cyber.nj.gov/report.
