Heimdal
article featured image

Contents:

An ongoing spear-phishing campaign is affecting a variety of companies, including governmental agencies. According to Microsoft, the Russian APT group Midnight Blizzard (also known as APT29, UNC2452, and Cozy Bear) is behind the attacks. The same threat actors breached the tech giant earlier this week and are responsible for the notorious SolarWinds supply chain attack from 2020.

Per a blog post from the tech giant, the campaign was spotted on October 22nd. Microsoft Threat Intelligence observed Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, defense, academia, NGOs, and other sectors.

Microsoft stated that based on their investigation on previous Midnight Blizzard spear-phishing campaigns, the goal of the operation is likely to collect intelligence.

Details About the Campaign

The spear-phishing emails from this campaign were sent to thousands of targets in over 100 organizations. The emails were highly targeted, using social engineering lures and some even impersonating Microsoft employees to add credibility. The threat actor also made references to other cloud providers in the lures.

The phishing emails contained a Remote Desktop Protocol (RDP) configuration file signed with a LetsEncrypt certificate.

The malicious .RDP attachment contained several sensitive settings that if accessed by the victim could lead to significant information exposure. After the target system was infiltrated, it established a connection with the actor-controlled server and mapped the resources of the targeted user’s local device to the server in both directions.

Resources sent to the server may include, but are not limited to:

  • All logical hard disks;
  • Clipboard contents;
  • Printers;
  • Connected peripheral devices;
  • Authentication features and facilities of the Windows OS.

This access could allow the threat actor to install additional tools, such remote access trojans (RATs), to keep access after the RDP session ends, or to implant malware on the target’s local drive(s) and mapped network share(s), especially in AutoStart directories.

Establishing an RDP connection to the infected system may also expose the credentials of the user signed in to the system.

How RDP Connections Work?

An RDP connection is established to an actor-controlled system when the target opens the .RDP attachment. The configuration of the RDP connection then allows threat actors to discover and use information about the target system including:

  • Files and directories;
  • Connected network drives;
  • Connected peripherals, including smart cards, printers, and microphones;
  • Web authentication using Windows Hello, passkeys, or security keys;
  • Clipboard data;
  • Point of Service (also known as Point of Sale or POS) devices.

Targets and Midnight Blizzard’s Email Infrastructure

Microsoft has seen this campaign, which targets defense, higher education, government agencies, and non-governmental organizations across dozens of nations, but especially in the UK, Europe, Australia, and Japan.

The emails in this campaign were sent using email addresses belonging to legitimate organizations gathered by the threat actors during previous campaigns. Midnight Blizzard is consistent and persistent in its targeting, and its objectives rarely change.

The threat group uses diverse initial access methods including spear phishing, stolen credentials, supply chain attacks, compromise of on-premises environments to laterally move to the cloud and leveraging service providers’ trust chain to gain access to downstream customers.

Protection Measures

After receiving multiple reports about the attack, CISA released a list of proactive measures that it urges organizations to take such as:

  • Restrict outbound RDP connections;
  • Block RDP files in communication platforms;
  • Prevent execution of RDP files;
  • Enable multi-factor authentication (MFA);
  • Adopt phishing-resistant authentication methods;
  • Implement conditional access policies;
  • Deploy an endpoint detection and response (EDR) tool;
  • Consider additional security solution in conjunction with the EDR software
  • Conduct user education;
  • Hunt for activity using referenced indicators and TTPs.

Callout box saying: "Strengthen your cybersecurity with EDR. Detect and respond to threats effectively with Heimdal®'s Endpoint Detection and Response solution. Discover more about our EDR solution here."

Microsoft is currently in the process of notifying the customers that have been targeted or compromised, and offering them support to secure their accounts.

If you liked this piece, you can find more on the blog. Follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE