Pierluigi Paganini October 30, 2024

Microsoft warns of a new phishing campaign by Russia-linked APT Midnight Blizzard targeting hundreds of organizations.

Microsoft warns of a large-scale spear-phishing campaign by Russia-linked APT Midnight Blizzard (aka APT29, SVR group, BlueBravo, Cozy Bear, Nobelium, Midnight Blizzard, and The Dukes), targeting 1,000+ users across 100+ organizations for intelligence gathering.

The Midnight Blizzard group along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections. The group is known for the SolarWinds supply chain attack that in 2020 hit more than 18,000 customer organizations, including Microsoft.

The recent campaign is still ongoing and already targeted entities in multiple sectors, including government, defense, academia, NGO, and other sectors.  

The victims are in the United Kingdom, European countries, Australia and Japan.

“On October 22, 2024, Microsoft identified a spear-phishing campaign in which Midnight Blizzard sent phishing emails to thousands of users in over 100 organizations. The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of Zero Trust.” reads the report published by Microsoft. “The emails contained a Remote Desktop Protocol (RDP) configuration file signed with a LetsEncrypt certificate. RDP configuration (.RDP) files summarize automatic settings and resource mappings that are established when a successful connection to an RDP server occurs. These configurations extend features and resources of the local system to a remote server, controlled by the actor.”

Microsoft experts pointed out that the use of a signed RDP configuration file to gain access to the targets’ devices is a novelty in the TTPs associated with this threat actor.

Government Computer Emergency Response Team of Ukraine (CERT-UA) and Amazon also warned about this campaign.

The used of RDP configuration files in the attack auto-extend local system resources to the attacker’s server, exposing sensitive data like hard drives, clipboard contents, printers, and authentication features, including smart cards, to the threat actor’s server.

“Midnight Blizzard sent the phishing emails in this campaign using email addresses belonging to legitimate organizations that were gathered during previous compromises.” concludes the report that provides IOC for this campaign along with mitigations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Midnight Blizzard)