Massive Midnight Blizzard Phishing Attack Via Weaponized RDP Files

   October 30, 2024  Posted in CyberSecurityNews


Threat actors impersonate trusted entities to deceive individuals into revealing sensitive information in phishing attacks.

Phishing attacks are executed via fraudulent emails and messages with malicious links that lead to fake websites. Not only that, but phishing remains one of the most dominant forms of cyber threats, with various types.

SIEM as a Service

Microsoft Threat Intelligence researchers recently discovered a massive Midnight Blizzard Phishing attack that has been using weaponized RDP files.

Russian cyber threat group Midnight Blizzard (aka “APT29,” “UNC2452,” and “Cozy Bear”), operating under Russia’s Foreign Intelligence Service (SVR) initiated a sophisticated “cyber-espionage campaign” on October 22, 2024.

This espionage campaign targets multiple sectors:- 

  • Government agencies
  • Academic institutions
  • Defense organizations
  • Non-governmental organizations (NGOs)

The threat actors employed spear-phishing emails containing malicious “RDP configuration files,” (.RDP files) that connect the victims to attacker-controlled servers when opened.

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

The campaign’s distinctive features include impersonation of Microsoft employees to appear legitimate, abuse of cloud service providers’ trust relationships, and deployment of specialized malware like “FOGGYWEB” and “MAGICWEB.” 

Malicious remote connection (Source – Microsoft)

While all these malware specifically targets a critical authentication system “Active Directory Federation Services” (AD FS). 

The threat actor’s tactics also encompass stealing legitimate credentials by compromising “supply chains,” and “moving laterally from on-premises networks to cloud environments,” which affects the thousands of targets across more than 100 organizations primarily in the “United States” and “Europe.” 

This campaign has been independently confirmed by Ukraine’s “CERT-UA” (as UAC-0215) and “Amazon,” represents an unknown approach for this group through its use of “signed RDP configuration files,” marking an evolution in their persistent intelligence-gathering operations that date back to 2018.

In this malicious campaign the threat actors targeted thousands of users across 100+ organizations using misleading emails that impersonated “Microsoft,” “Amazon Web Services” (AWS), and “Zero Trust security concepts.” 

The malicious files enable bidirectional mapping of resources that expose sensitive data like “local hard drives,” “clipboard contents,” “printers,” “peripheral devices,” “audio systems,” and “Windows authentication features” (including ‘smart cards’ and ‘Windows Hello credentials’). 

This access allowed the threat actors to potentially install “malware,” “RATs” in AutoStart folders, and maintain persistent system access even after RDP sessions terminated. 

The campaign targeted its focus on entities in the “United Kingdom,” “Europe,” “Australia,” and “Japan.” 

Here the threat actors leveraged previously compromised legitimate email addresses from other organizations to distribute these phishing emails which makes the campaign appear more credible to targets. 

By exploiting the RDP connection’s configuration settings the threat actors gained access to multiple system components like “connected network drives,” “Point of Service (POS) devices,” “web authentication mechanisms” using passkeys, and security keys. 

This helps the threat actors to effectively create a comprehensive system compromise that could persist beyond the initial attack.

Mitigations

Here below we have mentioned all the mitigations:-

  • Make sure to strengthen the operating environment configuration.
  • Always strengthen endpoint security configuration.
  • Make the antivirus configuration secure and robust.
  • Double-check and secure Microsoft Office 365 settings.
  • Secure email security configuration is necessary.
  • Conduct user training.

IoCs

Email sender domains:

sellar[.]co.uk
townoflakelure[.]com
totalconstruction[.]com.au
swpartners[.]com.au
cewalton[.]com

RDP file names:

AWS IAM Compliance Check.rdp
AWS IAM Configuration.rdp
AWS IAM Quick Start.rdp
AWS SDE Compliance Check.rdp
AWS SDE Environment Check.rdp
AWS SDE Environment Check.rdp 
AWS Secure Data Exchange – Compliance Check.rdp
AWS Secure Data Exchange Compliance.rdp
Device Configuration Verification.rdp
Device Security Requirements Check.rdp
IAM Identity Center Access.rdp
IAM Identity Center Application Access.rdp
Zero Trust Architecture Configuration.rdp
Zero Trust Security Environment Compliance Check.rdp
ZTS Device Compatibility Test.rdp

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!



Source link