A Russian-backed threat group, known as Midnight Blizzard or Cozy Bear, APT29, and UNC2452, has launched a large-scale intelligence-gathering operation targeting over 100 organizations worldwide. The group is using a novel tactic to harvest victim data and gain control of compromised devices by sending spear-phishing emails with digitally signed Remote Desktop Protocol (RDP) configuration files.
Microsoft’s threat intelligence group observed the Midnight Blizzard campaign since October 22, with the group sending thousands of highly targeted spear-phishing emails to individuals at organizations worldwide. The RDP file allows attackers to establish a quick, bidirectional connection with compromised devices, harvesting user credentials, files, and directories on connected network drives, as well as information from smart cards and web authentication credentials.
The use of signed RDP files makes it difficult for traditional security controls to detect the threat, as they appear to come from a legitimate source. Experts warn that organizations must review their email security settings and antivirus measures, turn on Safe Links and Safe Attachments in Office 365, and enable quarantining sent emails if needed.
To mitigate this threat, Microsoft has released a list of indicators of compromise, including email sender domains, RDP files, and RDP remote computer domains. Organizations are advised to use firewalls to block RDP connections, implement multifactor authentication, and strengthen endpoint security configurations.
Midnight Blizzard is a well-known threat group that has targeted numerous victims, including SolarWinds, Microsoft, HPE, multiple US federal government agencies, and diplomatic entities worldwide. Its tactics include spear phishing, stolen credentials, and supply chain attacks for initial access. The use of signed RDP files in this campaign highlights the importance of maintaining vigilance over email security and endpoint protection measures.
Source: https://www.darkreading.com/cyberattacks-data-breaches/midnight-blizzard-targets-networks-signed-rdp-files