Threat actors impersonate trusted entities to deceive individuals into revealing sensitive information in phishing attacks.
Phishing attacks are executed via fraudulent emails and messages with malicious links that lead to fake websites. Not only that, but phishing remains one of the most dominant forms of cyber threats, with various types.
Microsoft Threat Intelligence researchers recently discovered a massive Midnight Blizzard Phishing attack that has been using weaponized RDP files.
Russian cyber threat group Midnight Blizzard (aka “APT29,” “UNC2452,” and “Cozy Bear”), operating under Russia’s Foreign Intelligence Service (SVR) initiated a sophisticated “cyber-espionage campaign” on October 22, 2024.
This espionage campaign targets multiple sectors:-
-
Government agencies
-
Academic institutions
-
Defense organizations
-
Non-governmental organizations (NGOs)
The threat actors employed spear-phishing emails containing malicious “RDP configuration files,” (.RDP files) that connect the victims to attacker-controlled servers when opened.
Protecting Your Networks & Endpoints With UnderDefense MDR – [Request Free Demo](https://underdefense.com/services/managed-detection-and-response/?utm_source=cybersecuritynews.com&utm_medium=online_media&utm_campaign=article_siem_automation_explained)
The campaign’s distinctive features include impersonation of Microsoft employees to appear legitimate, abuse of cloud service providers’ trust relationships, and deployment of specialized malware like “FOGGYWEB” and “MAGICWEB.”
Malicious remote connection (Source – Microsoft)
While all these malware specifically targets a critical authentication system “Active Directory Federation Services” (AD FS).
The threat actor’s tactics also encompass stealing legitimate credentials by compromising “supply chains,” and “moving laterally from on-premises networks to cloud environments,” which affects the thousands of targets across more than 100 organizations primarily in the “United States” and “Europe.”
This campaign has been independently confirmed by Ukraine’s “CERT-UA” (as UAC-0215) and “Amazon,” represents an unknown approach for this group through its use of “signed RDP configuration files,” marking an evolution in their persistent intelligence-gathering operations that date back to 2018.
In this malicious campaign the threat actors targeted thousands of users across 100+ organizations using misleading emails that impersonated “Microsoft,” “Amazon Web Services” (AWS), and “Zero Trust security concepts.”
The malicious files enable bidirectional mapping of resources that expose sensitive data like “local hard drives,” “clipboard contents,” “printers,” “peripheral devices,” “audio systems,” and “Windows authentication features” (including ‘smart cards’ and ‘Windows Hello credentials’).
This access allowed the threat actors to potentially install “malware,” “RATs” in AutoStart folders, and maintain persistent system access even after RDP sessions terminated.
The campaign targeted its focus on entities in the “United Kingdom,” “Europe,” “Australia,” and “Japan.”
Here the threat actors leveraged previously compromised legitimate email addresses from other organizations to distribute these phishing emails which makes the campaign appear more credible to targets.
By exploiting the RDP connection’s configuration settings the threat actors gained access to multiple system components like “connected network drives,” “Point of Service (POS) devices,” “web authentication mechanisms” using passkeys, and security keys.
This helps the threat actors to effectively create a comprehensive system compromise that could persist beyond the initial attack.
Mitigations
Here below we have mentioned all the mitigations:-
-
Make sure to strengthen the operating environment configuration.
-
Always strengthen endpoint security configuration.
-
Make the antivirus configuration secure and robust.
-
Double-check and secure Microsoft Office 365 settings.
-
Secure email security configuration is necessary.
-
Conduct user training.
IoCs
Email sender domains:
sellar[.]co.uktownoflakelure[.]comtotalconstruction[.]com.auswpartners[.]com.aucewalton[.]com
RDP file names:
AWS IAM Compliance Check.rdpAWS IAM Configuration.rdpAWS IAM Quick Start.rdpAWS SDE Compliance Check.rdpAWS SDE Environment Check.rdpAWS SDE Environment Check.rdp AWS Secure Data Exchange – Compliance Check.rdpAWS Secure Data Exchange Compliance.rdpDevice Configuration Verification.rdpDevice Security Requirements Check.rdpIAM Identity Center Access.rdpIAM Identity Center Application Access.rdpZero Trust Architecture Configuration.rdpZero Trust Security Environment Compliance Check.rdpZTS Device Compatibility Test.rdp
