Microsoft is warning that Russian threat group Midnight Blizzard is increasing its attacks, engaging in “a series of highly targeted spear-phishing” campaigns.
Spear-phishing is an advanced form of phishing, in which the bad actor conducts research to more effectively pass themselves off as a legitimate authority and convince the target to take some action that compromises their cybersecurity. According to Microsoft, Midnight Blizzard has sent spear-phishing emails to thousands of individuals within at least 100 organizations.
The spear-phishing emails in this campaign were sent to thousands of targets in over 100 organizations and contained a signed Remote Desktop Protocol (RDP) configuration file that connected to an actor-controlled server. In some of the lures, the actor attempted to add credibility to their malicious messages by impersonating Microsoft employees. The threat actor also referenced other cloud providers in the phishing lures.
The incorporation of RDP in the attacks is a new development, one that increases the danger of the attack.
While this campaign focuses on many of Midnight Blizzard’s usual targets, the use of a signed RDP configuration file to gain access to the targets’ devices represents a novel access vector for this actor. Overlapping activity has also been reported by the Government Computer Emergency Response Team of Ukraine (CERT-UA) under the designation UAC-0215 and also by Amazon.
CISA has issued its own alert regarding the attacks, underscoring how effectively the threat actors can compromise an organization.
CISA has received multiple reports of a large-scale spear-phishing campaign targeting organizations in several sectors, including government and information technology (IT). The foreign threat actor, often posing as a trusted entity, is sending spear-phishing emails containing malicious remote desktop protocol (RDP) files to targeted organizations to connect to and access files stored on the target’s network. Once access has been gained, the threat actor may pursue additional activity, such as deploying malicious code to achieve persistent access to the target’s network.
Microsoft details exactly how the campaign works.
On October 22, 2024, Microsoft identified a spear-phishing campaign in which Midnight Blizzard sent phishing emails to thousands of users in over 100 organizations. The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of Zero Trust. The emails contained a Remote Desktop Protocol (RDP) configuration file signed with a LetsEncrypt certificate. RDP configuration (.RDP) files summarize automatic settings and resource mappings that are established when a successful connection to an RDP server occurs. These configurations extend features and resources of the local system to a remote server, controlled by the actor.
In this campaign, the malicious .RDP attachment contained several sensitive settings that would lead to significant information exposure. Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user’s local device’s resources to the server. Resources sent to the server may include, but are not limited to, all logical hard disks, clipboard contents, printers, connected peripheral devices, audio, and authentication features and facilities of the Windows operating system, including smart cards. This access could enable the threat actor to install malware on the target’s local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access trojans (RATs) to maintain access when the RDP session is closed. The process of establishing an RDP connection to the actor-controlled system may also expose the credentials of the user signed in to the target system.
Microsoft says the campaign is targeting government agencies, defense organization, higher education, and non-government organizations. While the attacks are being carried out against targets in dozens of countries, the bulk of them are concentrated in the UK, AUstralia, Europe, and Japan.
CISA recommends a comprehensive list of steps for organizations to implement to protect themselves.
- Restrict Outbound RDP Connections:
- Forbid or significantly restrict outbound RDP connections to external or public networks. This measure is crucial for minimizing exposure to potential cyber threats.
- Implement a Firewall along with secure policies and access control lists.
- Block RDP Files in Communication Platforms:
- Prohibit RDP files from being transmitted through email clients and webmail services. This step helps prevent the accidental execution of malicious RDP configurations.
- Prevent Execution of RDP Files:
- Implement controls to block the execution of RDP files by users. This precaution is vital in reducing the risk of exploitation.
- Enable Multi-Factor Authentication (MFA):
- Enable MFA wherever feasible to provide an essential layer of security for remote access.
- Avoid SMS MFA whenever possible.
- Adopt Phishing-Resistant Authentication Methods:
- Deploy phishing-resistant authentication solutions, such as FIDO tokens. It is important to avoid SMS-based MFA, as it can be vulnerable to SIM-jacking attacks.
- Implement Conditional Access Policies:
- Establish Conditional Access Authentication Strength to mandate the use of phishing-resistant authentication methods. This ensures that only authorized users can access sensitive systems.
- Deploy Endpoint Detection and Response (EDR):
- Implement Endpoint Detection and Response (EDR) solutions to continuously monitor for and respond to suspicious activities within the network.
- Consider Additional Security Solutions:
- Evaluate, in conjunction with EDR, the deployment of anti-phishing and antivirus solutions to bolster their defenses against emerging threats.
- Conduct User Education:
- Have a user education program that highlights how to identify and report suspicious emails. Robust user education can help mitigate the threat of social engineering and phishing emails.
- Recognize and Report Phishing: Avoid phishing with these simple tips.
- Hunt For Activity Using Referenced Indicators and TTPs:
- Utilize all indicators that are released in relevant articles and reporting to search for possible malicious activity within your organization’s network.
- Search for unexpected and/or unauthorized outbound RDP connections within the last year.