| Section | Details |
|---|---|
| Threat Actors | - Midnight Blizzard (also known as APT29, UNC2452, Cozy Bear) - Attributed to the Foreign Intelligence Service of the Russian Federation (SVR) |
| Campaign Overview | - Since October 22, 2024, Midnight Blizzard has been conducting targeted spear-phishing attacks - Targets include individuals in government, academia, defense, NGOs, and other sectors - Emails contain signed RDP configuration files connecting to actor-controlled servers - Some emails impersonate Microsoft employees - Goal is likely intelligence collection |
| Target Regions | - Thousands of targets in over 100 organizations - Particularly in the United Kingdom, Europe, Australia, and Japan - Consistent with Midnight Blizzard’s usual targeting patterns |
| Methodology | - Spear-phishing emails with malicious .RDP attachments - Social engineering lures related to Microsoft, AWS, and Zero Trust - RDP files signed with Let’s Encrypt certificates - Establishes RDP connections to actor-controlled servers - Maps local resources to the remote server, enabling data exposure and potential malware installation |
| Product Targeted | - Windows systems utilizing Remote Desktop Protocol (RDP) |
| Malware Reference | - Malicious RDP configuration files - Previously known to use AD FS malware FOGGYWEB and MAGICWEB |
| Tools Used | - Spear-phishing emails - Signed RDP configuration files - Let’s Encrypt certificates - Possible use of FOGGYWEB and MAGICWEB malware |
| Vulnerabilities Exploited | - No specific vulnerabilities; relies on social engineering and misuse of RDP features |
| TTPs | - Spear-phishing with malicious attachments - Impersonation of trusted entities (e.g., Microsoft employees) - Use of signed RDP files to establish connections - Resource mapping for data exfiltration and malware installation - Use of compromised email addresses from previous attacks |
| Attribution | - Attributed to Midnight Blizzard (APT29, UNC2452, Cozy Bear) - Linked to the Russian SVR |
| Recommendations | - Restrict outbound RDP connections using Windows Firewall - Require multifactor authentication (preferably phishing-resistant methods) - Implement Conditional Access policies - Use browsers with Microsoft Defender SmartScreen - Enable tamper protection, network protection, and web protection in Microsoft Defender for Endpoint - Turn on cloud-delivered protection and real-time protection in antivirus software - Enable Safe Links and Safe Attachments in Office 365 - Educate users on phishing awareness |
| Source | - Microsoft Threat Intelligence report - Overlapping activity reported by CERT-UA (UAC-0215) and Amazon |
Read More: https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply