Microsoft has warned of an ongoing spear phishing campaign for intelligence gathering by the Russian state-linked threat actor Midnight Blizzard, Cozy Bear, APT29, Dukes, Yttrium, or UNC2452. The cybercrime group is linked to Russia’s Foreign Intelligence Service (SVR).
“Since October 22, 2024, Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors,” Microsoft said.
The Redmond, Washington-based tech giant says the campaign leverages a “signed Remote Desktop Protocol (RDP) configuration file that connected to an actor-controlled server.”
The attacker also impersonates Microsoft employees and mentions other cloud providers such as Amazon and the concept of Zero Trust to add credibility to their lures. The threat actor has so far targeted thousands of high-profile individuals in over one hundred organizations.
Russian spear phishing campaign leverages RDP files
The spear phishing campaign involves sending LetsEncrypt signed ‘.RDP’ files to targeted individuals via email addresses of legitimate organizations compromised during previous campaigns.
Opening the ‘.RDP’ attachment establishes a connection session with the threat actor-controlled system, allowing the attacker to discover information about the target system.
“Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user’s local device’s resources to the server,” the report said.
Details collected include device’s files and directories, connected network devices, peripherals including smart cards, web authentication credentials including Windows Hello and passkeys, clipboard data, and Point of Sale (POS) service devices.
“This access could enable the threat actor to install malware on the target’s local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access Trojans (RATs) to maintain access when the RDP session is closed,” Microsoft said.
The spear phishing campaign targets government agencies, defense, higher education, and non-governmental organizations in the United Kingdom, Europe, Australia, and Japan. Victims include HPE, Microsoft, SolarWinds, US federal government agencies, and various diplomatic missions worldwide.
Amazon and the Ukrainian Computer Emergency Response Team (CERT UA) have observed similar tactics deployed by threat actor UAC-0215. The cloud services provider seized numerous domains it believes were used in the spear phishing campaign.
“Upon learning of this activity, we immediately initiated the process of seizing the domains APT29 was abusing which impersonated AWS in order to interrupt the operation,” Amazon’s CISO for AWS CJ Moses said.
However, Microsoft insists that the spear phishing campaign was not a compromise on the company or any of its products.
Midnight Blizzard has previously targeted numerous security vulnerabilities in Fortinet, Pulse Secure, Citrix, and Zimbra to compromise organizations of interest.
“Midnight Blizzard has a long history of using various spear phishing and watering-hole techniques to lure key personnel for intelligence collection,” said Mr. Balazs Greksza, Threat Response Lead at Ontinue. “This time, the thematic is about Security/Device/AWS/Zero Trust configurations, however, this may change relatively rapidly.”
Meanwhile, Microsoft has published a list of indicators of compromise (IoCs) to assist network defenders in threat hunting to undermine the Russian spear phishing campaign.
Redmond also suggested various mitigations, including strengthening the operating environment with Windows Firewall (with Advanced Security), multi-factor authentication, anti-phishing solutions such as Microsoft Authenticator, implementing conditional access, and using browsers that identify and block malicious websites.
Other recommendations include hardening endpoint security solutions, anti-virus software, Microsoft 365, and email security configurations. Organizations should also conduct extensive user security awareness training on various social engineering and phishing tactics.
“Microsoft’s advice on using the host firewall to restrict outbound RDP access is spot on and must be urgently heeded,” reiterated Mr. Venky Raju, Field CTO at ColorTokens. “This can be achieved using GPO policies or adopting a host-based microsegmentation solution to restrict outbound RDP access.”
The Cybersecurity and Infrastructure Organization (CISA) also advised network defenders to restrict outbound RDP connections to external or public networks, block ‘.RDP’ files in the organization’s communication channels such as email and restrict their execution, and enable (phishing resistant) MFA solutions such as FIDO tokens.
“Defenders can block the “.rdp” file extensions on the email gateways and limiting the ability for normal users to run any “.rdp” files will provide good countermeasures against this specific threat,” added Greksza. “Administrators can also take advantage of Group Policy Objects (GPO) policies by disabling Device and Resource Redirection in the Remote Desktop Services configurations.”
Stephen Kowski, Field CTO at SlashNext also advised system administrators to “implement real-time scanning of all email attachments and links” specifically for “RDP configuration files and other seemingly legitimate Microsoft-related content.”
He also recommended strengthening email security using advanced AI-powered detection to identify sophisticated impersonation and social engineering attempts. Kowski also warned that the threat actor could exploit the 2024 elections to gather intelligence and disrupt critical infrastructure.
“These attacks will likely intensify as we approach Election Day, as threat actors often capitalize on heightened periods of public interest and institutional activity to maximize their success rates,” said Kowski.