The Russian nation-state threat actor tracked as Midnight Blizzard has been running spear-phishing campaigns to thousands of targets at more than 100 organizations, primarily in the United States and Europe.
Microsoft Threat Intelligence said in an Oct. 29 blog post that Midnight Blizzard has targeted government agencies, academia, defense, non-governmental organizations, and other sectors since Oct. 22 via the use of a signed remote desktop protocol (RDP) configuration file to gain access to devices — a novel approach for this group.
“In some of the lures, the actor attempted to add credibility to their malicious messages by impersonating Microsoft employees,” wrote the Microsoft researchers. “The threat actor also referenced other cloud providers in the phishing lures.”
The United States and United Kingdom governments claim that Midnight Blizzard — aka APT29 and Cozy Bear — operates under the direction of the Foreign Intelligence Service of the Russian Federation, also known as the SVR. The group’s main goal is to collect intelligence through dedicated espionage traced to early 2018.
“This ingenious attack reinforces the need to maintain tight control over Microsoft’s remote desktop protocol,” said Venky Raju, Field CTO at ColorTokens. “Sharing devices, folders, and the clipboard over an RDP session is handy for system administrators and users. But as this attack illustrates, this powerful capability also gives attackers an easy way to access sensitive information or drop malicious code onto the user’s machine.”
Balazs Greksza, threat response lead at Ontinue, added that Midnight Blizzard has a long history of using various spear phishing and watering-hole techniques to lure important personnel for intelligence collection. Greksza said defenders can block the ".rdp" file extensions on the email gateways; and said limiting the ability for normal users to run any ".rdp" files will offer good countermeasures against this specific threat.
Greksza added that administrators can also take advantage of Group Policy Objects (GPO) policies by disabling Device and Resource Redirection in the Remote Desktop Services configurations. Greksza also said network controls through firewalls can help disable inbound and outbound RDP connections — a good security practice in general.
Tim Peck, senior threat researcher at Securonix, said that first and foremost, companies must educate users on recognizing and reporting phishing attempts. Peck said when it comes to any form of request through email, especially those from outside the organization, users should take a “security-first” posture and automatically distrust the information until proven otherwise.
“Second, since RDP is not a new attack vector unique to Cozy Bear, organizations should restrict Outbound RDP connections,” said Peck. “This should be limited to essential users by updating firewall policies or disabling it directly on endpoints that would not require it."
Patrick Harr, chief executive officer at SlashNext Email Security, added that these attacks once again highlight that phishing continues to be the most dangerous threat to organizations. Harr said that’s why companies must not only continuously train their users, they must also employ AI detection and phishing sandboxes for malicious links and files directly in their email, collaboration and messaging apps.
“These new sophisticated attacks, many of them AI-generated, evade current secure email gateways and even Microsoft Defender for Office,” said Harr. “The only way organizations can defend themselves is by using AI to prevent these attacks before successful breaches.”