CISA advises organisations to block or severely restrict outbound RDP connections to remote networks to reduce cyber threats. This is prompted by a recent phishing attack using .rdp files to gain unauthorised access. CISA stresses the importance of measures such as blocking RDP files in email clients, limiting users’ ability to open these files, and checking for unauthorised RDP connections over the past year. In addition, CISA recommends training users in recognising and reporting suspicious emails to reduce social engineering risks.
Immediate actions
Proactive monitoring:
Perform increased monitoring for suspicious emails, RDP files and potential phishing activity for a specified period of time in accordance with the IoCs associated with this campaign.
Long-term recommendations
Block RDP files on the mail server:
Configure the mail server to automatically block or mark RDP files (‘.rdp’ extensions) as suspicious. This prevents users from accidentally opening rogue RDP files distributed via phishing emails. By blocking these attachments at the server level, the organisation significantly reduces the risk of infection via email. Block users from running RDP files:
Restrict user permissions on endpoints so they cannot run RDP files. This can be set via Group Policies and endpoint security. Restricting RDP execution makes it more difficult for attackers to set up RDP sessions that provide access to corporate networks or remote servers. Block outgoing RDP traffic on the firewall:
Configure the firewall to block outgoing RDP traffic to external networks, except to authorised internal servers. This measure prevents the establishment of rogue RDP connections to servers controlled by attackers, and protects against exfiltration and unwanted access to sensitive systems. Block resource sharing on RDP connections in Group Policies:
Customise Group Policies to prevent users from sharing files, clipboard content, or other resources during RDP sessions. This restriction prevents attackers from abusing shared resources during an RDP session to place rogue files on systems or steal sensitive data.
File Hashes:
• a246253fab152deac89b895a7c1bca76498b4aa044c907559c15109c1187a448 – Zero Trust Architecture Configuration.rdp • 8b45f5a173e8e18b0d5c544f9221d7a1759847c28e62a25210ad8265f07e96d5 – Zero Trust Security Environment Compliance Check.rdp • 280fbf353fdffefc5a0af40c706377142fff718c7b87bc8b0daab10849f388d0 – AWS IAM Configuration.rdp • 1c1941b40718bf31ce190588beef9d941e217e6f64bd871f7aee921099a9d881 – AWS IAM Compliance Check.rdp • ba4d58f2c5903776fe47c92a0ec3297cc7b9c8fa16b3bf5f40b46242e7092b46 – Zero Trust Security Environment Compliance Check.rdp • f357d26265a59e9c356be5a8ddb8d6533d1de222aae969c2ad4dc9c40863bfe8 – AWS IAM Compliance Check.rdp Bron: https://www.security.nl/posting/864400/CISA%3A+blokkeer+uitgaande+RDP-verbindingen+naar+externe+netwerken