Massive Cozy Bear phishing attack using malicious RDP files

30 October 2024 2 minutes Author: Newsman

Russian cyber group Cozy Bear (APT29) launched a massive phishing attack targeting over 100 organizations to obtain sensitive information via malicious RDP files. In the emails, the attackers pretended to be Microsoft employees and sent signed RDP files that connected to servers controlled by the hackers.

The phishing attacks targeted users in Europe and the United States. Cozy Bear, linked to the Russian Foreign Intelligence Service, distributes malicious RDP files through spoofed messages impersonating Microsoft and AWS. These files allow attackers to gain access to the victim’s local drives, clipboards, printers, and other devices, greatly increasing the risk of data compromise. Once connected, RDP files allow cybercriminals to install malware and other tools to gain long-term access.

Cozy Bear, also known as APT29, has long been known in the field of cyber espionage. They became infamous for their intelligence-gathering operations targeting governments and large companies. The latest attack is another example of the evolution of their tactics: using legitimate signed RDP files to avoid suspicion and create long-term access to critical victim data.

Microsoft recommends protecting against such attacks by implementing multi-layered security measures, such as multi-factor authentication, enhanced endpoint security, and antivirus settings. It’s also important to use email security tools and regularly educate employees about phishing threats.

SEO text.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.