Microsoft has issued a warning about an ongoing spear-phishing campaign led by the Russian APT group Midnight Blizzard, known for past major attacks like the SolarWinds breach. This campaign, which began on October 22, specifically targets government, defence, academia, NGOs, and other critical sectors, aiming to collect intelligence through sophisticated spear-phishing emails. The threat actors impersonate Microsoft employees and reputable cloud providers in highly targeted emails containing Remote Desktop Protocol (RDP) configuration files, signed with a LetsEncrypt certificate, which compromise target systems once opened.

Once the RDP file is opened, Midnight Blizzard gains extensive access to the victim's system, enabling resource mapping and potential installation of malware, remote access trojans, or persistent backdoors. This grants the attackers control over all logical drives, peripheral devices, and even user credentials, posing a significant security risk. The group has used stolen credentials and legitimate email addresses to add credibility and evade detection, and Microsoft is currently notifying affected customers and providing security assistance.

Summary of Key Functional Events and Impact:

Microsoft has issued a warning about an ongoing spear-phishing campaign led by the Russian APT group Midnight Blizzard, known for past major attacks like the SolarWinds breach. This campaign, which began on October 22, specifically targets government, defense, academia, NGOs, and other critical sectors, aiming to collect intelligence through sophisticated spear-phishing emails. The threat actors impersonate Microsoft employees and reputable cloud providers in highly targeted emails containing Remote Desktop Protocol (RDP) configuration files, signed with a LetsEncrypt certificate, which compromise target systems once opened.

Once the RDP file is opened, Midnight Blizzard gains extensive access to the victim's system, enabling resource mapping and potential installation of malware, remote access trojans, or persistent backdoors. This grants the attackers control over all logical drives, peripheral devices, and even user credentials, posing a significant security risk. The group has used stolen credentials and legitimate email addresses to add credibility and evade detection, and Microsoft is currently notifying affected customers and providing security assistance.

Key Technical Events:

• Midnight Blizzard sent spear-phishing emails targeting over 100 organisations worldwide, with impersonation and social engineering tactics.
• The emails included an RDP configuration file signed with a LetsEncrypt certificate, compromising systems upon access.
• The RDP file mapped local resources to attacker-controlled servers, enabling file and device access, potentially exposing credentials.
• Attackers could use the access to install malware or RATs, ensuring sustained access post-session.
• Midnight Blizzard's infrastructure used stolen email addresses and credentials from previous campaigns to legitimise the emails.
• Multiple methods were used for initial access, including spear-phishing, supply chain, and lateral movement across environments.

Aftermath

CISA and Microsoft have responded by releasing protective measures to contain the threat, including restricting outbound RDP connections, blocking RDP files, enforcing MFA, and recommending endpoint detection solutions. Additionally, Microsoft is notifying targeted or compromised customers, offering support to secure their accounts and mitigate potential damage from this campaign.

Recommended Security Measures:

• Restrict or block outbound RDP connections on corporate networks.
• Prevent execution of RDP files and filter such files in emails and communication platforms.
• Enable multi-factor authentication (MFA) and phishing-resistant authentication.
• Implement conditional access policies for enhanced security.
• Deploy Endpoint Detection and Response (EDR) tools and combine with other security solutions.
• Conduct regular user education on identifying and avoiding phishing threats.
• Continuously monitor for unusual activity based on identified TTPs and indicators.

The Midnight Blizzard spear-phishing campaign highlights the evolving tactics used by sophisticated threat groups to breach high-value targets and gain persistent access. This incident underscores the importance of proactive security measures and vigilance against spear-phishing and credential theft. Organisations should implement a multi-layered defence strategy, combining technical controls, EDR, and ongoing user education to mitigate the risk of similar attacks.

Source and further reading.

Neagu, C. (2024, November 1). Microsoft Warns: Midnight Blizzard’s Ongoing Spear-Phishing Campaign with RDP Files. Heimdal Security Blog. https://heimdalsecurity.com/blog/microsoft-warning-midnight-blizzard-spear-phishing-rdp/