Midnight Blizzard Escalates Spear-Phishing Attacks

Microsoft Threat Intelligence has uncovered a new attack campaign by Russian threat actor Midnight Blizzard, targeting thousands of users across over 100 organizations. The attack leverages spear-phishing emails with RDP configuration files, allowing attackers to connect to and potentially compromise the targeted systems.

The attack campaign targeted thousands of users in higher education, defense, non-governmental organizations, and government agencies. Dozens of countries have been impacted, particularly in the U.K., Europe, Australia, and Japan, which is consistent with previous Midnight Blizzard phishing campaigns.

Phishing emails contained RDP configuration file

In the latest Midnight Blizzard attack campaign, victims received highly targeted emails that used social engineering lures relating to Microsoft, Amazon Web Services, and the concept of Zero Trust.

According to Microsoft Threat Intelligence, the emails were sent using email addresses belonging to legitimate organizations, gathered by the threat actor during previous compromises. All emails contained a RDP configuration file, signed with a free LetsEncrypt certificate, that included several sensitive settings.

When a user opened the file, an RDP connection would be established to an attacker-controlled system. The configuration of the established RDP connection would then allow the threat actor to collect information about the targeted system, such as files and folders, connected network drives, peripherals including printers, microphones, and smart cards.

It would also enable the collection of clipboard data, web authentication using Windows Hello, passkeys and security keys, and even Point-of-Sale devices. Such a connection might also allow the threat actor to install malware on the targeted system or on mapped network share(s).

The outbound RDP connections were established to domains created to trick the target into believing they were AWS domains. Amazon, working with the Ukrainian CERT-UA on fighting the threat, immediately initiated the process of seizing affected domains to disrupt the operation. Meanwhile, Microsoft directly notified impacted customers that have been targeted or compromised.

Midnight Blizzard has targeted various sectors in recent years

According to a joint cybersecurity advisory, Midnight Blizzard, as well as threat actors APT29, Cozy Bear, and the Dukes, are associated with the Russian Federation Foreign Intelligence Service.

Since at least 2021, Midnight Blizzard has routinely targeted U.S., European, and global entities in the Defense, Technology, and Finance sectors, pursuing cyberespionage purposes and enabling further cyber operations, including in support of Russia’s ongoing invasion of Ukraine.

SEE: How to Create an Effective Cybersecurity Awareness Program (TechRepublic Premium)

In January 2024, the group targeted Microsoft and Hewlett Packard Enterprise, gaining access to email boxes of several employees. Following the incident, Microsoft stated that the cybercriminals were initially targeting email accounts for information related to Midnight Blizzard itself.

Then, in March 2024, the threat actor reportedly adapted its tactics to target more cloud environments.

According to Microsoft, Midnight Blizzard is one of the stealthiest cyberattackers. As a separate Microsoft report noted, the group had previously disabled the organization’s Endpoint Detection and Response solutions after a system reboot. They then waited quietly for a month for computers to reboot and took advantage of vulnerable computers that had not been patched.

The threat actor is also highly technical, as it has been observed deploying MagicWeb, a malicious DLL placed on Active directory Federated Services servers to stay persistent and steal information. The tool also allows the Midnight Blizzard to generate tokens that allow it to bypass AD FS policies and sign in as any user.

How to protect against Midnight Blizzard

Several actions can be taken to protect from this threat:

• Outbound RDP connections to external or public networks should be forbidden or restricted.
• RDP files should be blocked from email clients or webmail.
• RDP files should be blocked from being executed by users.
• Multi-factor authentication must be enabled where possible.
• Phishing-resistant authentication methods should be deployed, such as using FIDO tokens. SMS-based MFA should not be used, as it may be bypassed by SIM-jacking attacks.
• Conditional Access Authentication Strength must be implemented to require phishing-resistant authentication.

Additionally, Endpoint Detection and Response (EDR) must be deployed to detect and block suspicious activity. Organizations should also consider deploying antiphishing and antivirus solutions to help detect and block the threat.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.