A threat group known as “Midnight Blizzard,” which is believed to be linked to Russia’s foreign intelligence service, has raised alarm bells due to its recent large-scale campaign that targets organizations worldwide using a new tactic for gaining access to victim systems.
According to Microsoft’s threat intelligence group, Midnight Blizzard has been sending out thousands of spear-phishing emails to targeted individuals at over 100 organizations globally since October 22. What sets this campaign apart is the group’s use of a digitally signed Remote Desktop Protocol (RDP) configuration file in its spear-phishing emails. When the recipient opens the file, it connects to a server controlled by the threat actor, allowing them to harvest user credentials and detailed system information to facilitate further exploitation.
The emails distributed by Midnight Blizzard were highly targeted, using social engineering lures related to Microsoft, Amazon Web Services (AWS), and the concept of zero trust. Microsoft has confirmed that the campaign has been focused on governmental agencies, higher education institutions, defense organizations, and non-governmental entities in numerous countries, with a particular emphasis on the UK, Europe, Australia, and Japan.
Midnight Blizzard, also known as Cozy Bear, APT29, and UNC2452, has a history of targeting prominent organizations, including SolarWinds, Microsoft, HPE, various US federal government agencies, and diplomatic entities worldwide. The group employs a range of tactics, such as spear-phishing, stolen credentials, and supply chain attacks, to gain initial access. Additionally, they have targeted vulnerabilities in popular networking and collaboration technologies from companies like Fortinet, Pulse Secure, Citrix, and Zimbra to infiltrate target networks.
The use of signed RDP files in Midnight Blizzard’s recent campaign is a significant development, according to Stephen Kowski, field CTO at SlashNext. These files can bypass traditional security controls as they appear to be from a legitimate source. Kowski recommends that organizations closely monitor all email attachments, paying special attention to RDP files and other seemingly legitimate Microsoft-related content.
To mitigate the threat posed by Midnight Blizzard, Microsoft has released a list of indicators of compromise for the new campaign. They advise security teams to review email security settings, activate features like Safe Links and Safe Attachments in Office 365, and implement measures to block RDP connections and enable multifactor authentication. Venky Raju, field CTO at ColorTokens, underscores the importance of controlling the use of Microsoft’s remote desktop to prevent attackers from exploiting vulnerabilities.
In conclusion, the Midnight Blizzard campaign serves as a stark reminder of the evolving cybersecurity threats faced by organizations globally. By staying vigilant, implementing robust security measures, and staying informed about emerging threats, organizations can better protect themselves from malicious actors seeking to compromise their systems and data.