Researchers have issued a warning about ongoing spear-phishing attacks conducted by the Russian threat actor Midnight Blizzard, targeting individuals across various sectors. This group has been sending signed RDP configuration files to thousands of targets in an attempt to compromise systems and gather intelligence.
Midnight Blizzard, which is linked to the SVR, a Russian-backed threat actor, has recently adopted a new tactic of using signed RDP configuration files to breach target devices. By combining this tactic with traditional methods of account compromise and advanced exploitation techniques, they have managed to expand their access and avoid detection.
The primary targets of Midnight Blizzard include government, diplomatic, NGO, and IT service provider entities in the US and Europe, with the goal of collecting sensitive intelligence. Recent observations by CERT-UA and Amazon have highlighted the ongoing threat posed by this group.
In addition to the use of signed RDP configuration files, Midnight Blizzard employs a variety of tactics to gain initial access, such as phishing, credential theft, and supply chain attacks. They exploit compromised on-premises environments to infiltrate cloud services and leverage service providers’ trust chains to target downstream customers. Known for their use of AD FS malware like FOGGYWEB and MAGICWEB, Midnight Blizzard is also adept at launching highly targeted spear-phishing campaigns.
These spear-phishing campaigns often involve distributing emails disguised as legitimate communications from reputable organizations like Microsoft, Amazon Web Services, and Zero Trust initiatives. Once these emails are opened, they contain malicious RDP configuration files that establish a connection between the victim’s device and an attacker-controlled server, granting the attacker extensive access to the victim’s system.
By opening a malicious RDP file, victims unknowingly grant unauthorized access to sensitive system information, including file systems, network drives, authentication credentials, and more. This access allows attackers to install malware for persistent control over the victim’s system.
One of the notable campaigns observed by Microsoft targeted specific sectors, such as government agencies, education, defense, and NGOs in countries like the UK, Europe, Australia, and Japan. These attacks typically involve emails sent from compromised legitimate organizations’ email addresses, using tactics that have been seen in previous Midnight Blizzard attacks.
The analysis of indicators of compromise (IOCs) from these attacks reveals a potential phishing campaign targeting organizations in Eastern Europe. Email senders often impersonate legitimate companies, with recipients likely to be individuals in government, military, and utility sectors.
To enhance the credibility of their campaigns, attackers use RDP filenames containing security and compliance keywords and target geographically relevant AWS cloud domains. This sophisticated approach aims to deceive recipients into believing the emails are legitimate communications.
Overall, the ongoing spear-phishing campaigns by Midnight Blizzard serve as a reminder of the persistent threat posed by this group and the importance of remaining vigilant against such attacks. Organizations and individuals are advised to be cautious of suspicious emails and avoid opening attachments from unknown senders to protect themselves from falling victim to these malicious tactics.