| Section | Details |
|---|---|
| Threat Actors | – Midnight Blizzard (also known as APT29, UNC2452, Cozy Bear) – Attributed to the Foreign Intelligence Service of the Russian Federation (SVR) |
| Campaign Overview | – Since October 22, 2024, Midnight Blizzard has been conducting targeted spear-phishing attacks – Targets include individuals in government, academia, defense, NGOs, and other sectors – Emails contain signed RDP configuration files connecting to actor-controlled servers – Some emails impersonate Microsoft employees – Goal is likely intelligence collection |
| Target Regions | – Thousands of targets in over 100 organizations – Particularly in the United Kingdom, Europe, Australia, and Japan – Consistent with Midnight Blizzard’s usual targeting patterns |
| Methodology | – Spear-phishing emails with malicious .RDP attachments – Social engineering lures related to Microsoft, AWS, and Zero Trust – RDP files signed with Let’s Encrypt certificates – Establishes RDP connections to actor-controlled servers – Maps local resources to the remote server, enabling data exposure and potential malware installation |
| Product Targeted | – Windows systems utilizing Remote Desktop Protocol (RDP) |
| Malware Reference | – Malicious RDP configuration files – Previously known to use AD FS malware FOGGYWEB and MAGICWEB |
| Tools Used | – Spear-phishing emails – Signed RDP configuration files – Let’s Encrypt certificates – Possible use of FOGGYWEB and MAGICWEB malware |
| Vulnerabilities Exploited | – No specific vulnerabilities; relies on social engineering and misuse of RDP features |
| TTPs | – Spear-phishing with malicious attachments – Impersonation of trusted entities (e.g., Microsoft employees) – Use of signed RDP files to establish connections – Resource mapping for data exfiltration and malware installation – Use of compromised email addresses from previous attacks |
| Attribution | – Attributed to Midnight Blizzard (APT29, UNC2452, Cozy Bear) – Linked to the Russian SVR |
| Recommendations | – Restrict outbound RDP connections using Windows Firewall – Require multifactor authentication (preferably phishing-resistant methods) – Implement Conditional Access policies – Use browsers with Microsoft Defender SmartScreen – Enable tamper protection, network protection, and web protection in Microsoft Defender for Endpoint – Turn on cloud-delivered protection and real-time protection in antivirus software – Enable Safe Links and Safe Attachments in Office 365 – Educate users on phishing awareness |
| Source | – Microsoft Threat Intelligence report – Overlapping activity reported by CERT-UA (UAC-0215) and Amazon |
Read More: https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply