Threat Intelligence: Midnight Blizzard Spearphishing Campaign Targets Thousands with RDP Files

Threat Intelligence from DigitalXRAID’s Security Operations Centre analysts: 

Microsoft has warned of a campaign from a known threat actor “Midnight Blizzard” (APT29, Cozy Bear), in which thousands of organisations in government, academia, defence and other sectors were targeted with phishing emails.

The phishing emails themselves contained a signed Remote Desktop Protocol file (RDP) which connects to a threat actor server. 

Microsoft States: “In this campaign, the malicious .RDP attachment contained several sensitive settings that would lead to significant information exposure. Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user’s local device’s resources to the server,” 

Although targets have been discovered in dozens of countries, those in the UK, Europe, Australia and Japan are particularly at risk, Microsoft said. There is also an overlap of tactics seen and reported by Amazon and the Ukrainian CERT under the UAC-0215 designation. 

Microsoft has released a list of mitigations: Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files | Microsoft Security Blog, recommending mitigations such as: 

• End user education 

• Firewalls to restrict outbound RDP Connections 

• Enforcing MFA for all users 

Please remain vigilant as always. 

If you need any further guidance on this, please contact DigitalXRAID’s Security Operations Centre analysts. We’re here to support you.  

If you discover that you’ve suffered a breach as a result of this or any other vulnerability, and need help urgently, get in contact with us. You can call our emergency line on 0800 066 4509 to speak to one of our experts. They’re available 24 hours a day, 7 days a week. Bookmark this page in case you ever need us.