Monday, December 9, 2024
HomeCyber AttackMassive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Published on

SIEM as a Service

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in various sectors.

The attacks involve sending signed RDP configuration files to thousands of targets, aiming to compromise systems for intelligence gathering. 

The actor impersonates Microsoft employees and references other cloud providers to increase credibility, so users are advised to be cautious of suspicious emails and avoid opening attachments from unknown senders.

- Advertisement - SIEM as a Service

Midnight Blizzard, a Russian-backed threat actor linked to the SVR, has employed a novel tactic by using a signed RDP configuration file to breach target devices.

This tactic, coupled with their traditional methods of account compromise and advanced exploitation, has allowed them to expand their access and evade detection. 

Malicious remote connection
Malicious remote connection

The group primarily targets government, diplomatic, NGO, and IT service provider entities in the US and Europe, aiming to collect sensitive intelligence. CERT-UA and Amazon have recently observed activity, highlighting the ongoing threat posed by Midnight Blizzard. 

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

Midnight Blizzard, a persistent threat actor, employs diverse tactics to gain initial access, including phishing, credential theft, and supply chain attacks. 

They leverage compromised on-premises environments to infiltrate cloud services and exploit service providers’ trust chains to target downstream customers. The group is known for using AD FS malware like FOGGYWEB and MAGICWEB. 

To launch a highly targeted spear-phishing campaign, it distributed emails disguised as legitimate communications from Microsoft, Amazon Web Services, and Zero Trust initiatives. 

When executed, these emails contained malicious RDP configuration files, which established a bidirectional connection between the victim’s device and an attacker-controlled server. 

This connection granted the attacker extensive access to the victim’s system, including sensitive data, network resources, and the ability to install malware for persistent control.

The victim opened a malicious RDP file, inadvertently establishing an RDP connection to an attacker-controlled server.

This granted the attacker unauthorized access to sensitive system information, including file systems, network drives, peripheral devices, authentication credentials, clipboard data, and POS devices.

Microsoft observed a Midnight Blizzard phishing campaign targeting specific sectors, such as government agencies, education, defense, and NGOs, in several countries, especially the UK, Europe, Australia, and Japan. 

It was a common strategy used in previous Midnight Blizzard attacks, and the emails were sent from email addresses belonging to legitimate organizations that had been compromised.

An analysis of the indicators of compromise (IOCs) reveals a potential phishing campaign targeting organizations with user accounts potentially located in Eastern Europe. 

The email senders include domains impersonating legitimate companies (.co.uk, .com.au) with recipients likely in government, military, and utility sectors (.gov, .mil, .energy). 

Using RDP filenames containing security and compliance keywords, such as AWS, IAM, SDE, and Zero Trust, can conceal the urgency. 

While the remote desktop connection attempts to target geographically relevant AWS cloud domains (ap-northeast-1, eu-central-1, us-east-1), further enhancing the campaign’s credibility. 

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Latest articles

Google Announces Vanir, A Open-Source Security Patch Validation Tool

Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and...

New Transaction-Relay Jamming Vulnerability Let Attackers Exploits Bitcoin Nodes

A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin...

Raspberry Pi 500 & Monitor, Complete Desktop Setup at $190

Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its...

Qlik Sense for Windows Vulnerability Allows Remote Code Execution

Qlik has identified critical vulnerabilities in its Qlik Sense Enterprise for Windows software that...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Google Announces Vanir, A Open-Source Security Patch Validation Tool

Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and...

New Transaction-Relay Jamming Vulnerability Let Attackers Exploits Bitcoin Nodes

A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin...

Raspberry Pi 500 & Monitor, Complete Desktop Setup at $190

Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its...