H-ISAC Threat Bulletin: Russian Threat Actor Midnight Blizzard Conducts Large Scale Spearphishing Campaign Containing RDP Files
On October 29, 2024, Microsoft Threat Intelligence released a blog report regarding the observance of Russian threat actor Midnight Blizzard conducting a spearphishing campaign delivering phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. According to
Microsoft’s investigation, the objective of the ongoing activity is assessed to be likely based on reconnaissance.
During their phishing campaign, the threat actors were observed impersonating Microsoft employees and sending emails with social engineering lures related to Microsoft, Amazon Web Services (AWS), and the concept of Zero Trust. Through the phishing emails, remote desktop protocol (RDP) configuration files signed with a LetsEncrypt certificate were delivered. The RDP configuration files contain automatic settings and resource mappings that are established after successfully connecting to an RDP server controlled by the threat actor.
Successfully executed attacks provided threat actors with sensitive information from the compromised device as the threat actor-controlled server mapped the victims’ local device resources to the server. Resources sent to the server may include but are not limited to, all logical hard disks, clipboard contents, printers, connected peripheral devices, audio, and authentication features and facilities of the Windows operating system, including smart cards. Additionally, the unauthorized access could allow the threat actor to deploy malware on local drives and mapped network shares to maintain persistence once the RDP session is terminated.
Health-ISAC is sharing this report for your situational awareness and encourages members to incorporate the mitigation strategies provided in this report.
The full alert, which includes additional information, mitigations, hunting queries, and indicators of compromise, can be found here.
View the detailed Bulletin below.
For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact: