Security Advisory: Ongoing Spear-Phishing Campaign by Russian Threat Actor Midnight Blizzard

Difenda is alerting organizations about an active spear-phishing campaign reported by Microsoft Threat Intelligence and orchestrated by the Russian state-sponsored threat actor Midnight Blizzard (also known as APT29, UNC2452, or Cozy Bear). Beginning on October 22, 2024, this campaign has targeted thousands of individuals across more than 100 organizations worldwide, focusing on government bodies, universities, defense sectors, NGOs, and other key industries. Midnight Blizzard is known for intelligence-gathering operations, often employing sophisticated tactics to breach high-value targets.

This campaign’s standout feature is the use of signed Remote Desktop Protocol (RDP) configuration files attached to phishing emails. These files establish connections between the victim’s device and actor-controlled servers, enabling data exposure and potential malware deployment.

Ongoing Spear-Phishing Campaign by Russian Threat Actor Midnight Blizzard Technical Overview

• Spear-Phishing Campaign Initiation: The emails are tailored to appear credible, with lures that impersonate trusted entities such as Microsoft and other cloud providers. The emails often reference industry terms like Zero Trust to increase their perceived legitimacy.
  
• Malicious Payload: Attached to the phishing emails is an RDP configuration file, signed with a legitimate certificate. When executed, this file sets up an RDP connection to a server controlled by the attackers.
  
• RDP Configuration: The RDP file contains specific settings allowing the attacker-controlled system to access:
  • Local files and directories.
  • Connected network drives.
  • Peripheral devices, including smart cards and printers.
  • Clipboard data and other resources.
    
• Potential Outcomes: Once the connection is established, the attacker can explore system resources, deploy malware, install remote access tools (RATs) for persistent access, and even capture user credentials during the session.

What Our Threat Intelligence Team is Seeing

Microsoft Defender XDR Detections:

Microsoft Defender for Endpoint

• Midnight Blizzard Actor activity group
• Suspicious RDP session
• Midnight Blizzard attack group payload

Microsoft Defender Antivirus

• Backdoor:Script/HustleCon.A

Microsoft Defender for Cloud

• Communication with suspicious domain identified by threat intelligence
• Suspicious outgoing RDP network activity
• Traffic detected from IP addresses recommended for blocking

IOCs

Email sender domains:

• sellar[.]co.uk
• townoflakelure[.]com
• totalconstruction[.]com.au
• swpartners[.]com.au
• cewalton[.]com

What We Suggest to Mitigate Ongoing Spear-Phishing Campaign by Russian Threat Actor Midnight Blizzard

1. Strengthen Email Security

• Deploy advanced anti-phishing solutions like Microsoft Defender for Office 365 to monitor incoming emails and URLs.
• Enable Safe Links and Safe Attachments in Office 365 to scan email content in real-time.

2. Enhance Endpoint Protection

• Turn on tamper protection and network protection in Microsoft Defender for Endpoint.
• Enable EDR in block mode to help prevent malicious activities, even if your primary antivirus misses them.
• Configure automated investigation and remediation in full mode to take swift action on detected threats.

3. Limit RDP Connections

• Use Windows Firewall to block or restrict outbound RDP connections to untrusted public networks.
• Regularly review and limit remote access policies to ensure only trusted devices and users can connect.

4. Require Multi-Factor Authentication (MFA)

• Implement phishing-resistant MFA methods such as FIDO tokens or Microsoft Authenticator with number matching. Avoid telephony-based MFA to reduce risks related to SIM-jacking.

5. User Training and Awareness

• Conduct regular phishing simulation exercises to help employees recognize and report suspicious emails.
• Educate users on how to avoid interacting with unexpected attachments and links, even from seemingly trusted sources.

6. Monitor for Indicators of Compromise (IOCs)

• Regularly check for suspicious RDP connections or unauthorized access attempts.
• Review logs for signs of attempted or successful connections to external, actor-controlled servers.