Understanding and Mitigating Midnight Blizzard's RDP-Based Spear Phishing Campaign

Simulate This Threat

See how your defenses will perform against emerging threats.

TRY NOW

Starting from late October 2024, Russian state-sponsored threat actor Midnight Blizzard, also known as APT29 & Cozy Bear, has been actively deploying a sophisticated spear-phishing campaign targeting thousands of individuals across government, academia, and defense sectors, as well as NGOs [1]. Threat intelligence units at Microsoft, Amazon, and CERT-UA have published overlapping reports showing that Midnight Blizzard is leveraging an unusual combination of attack vectors, likely aimed at gathering intelligence and gaining privileged access across affected organizations.

In this blog, we are going to provide an overview of Midnight Blizzard’s attack campaigns, the key mitigation steps that you have to take (as suggested by CISA’s Alert), and how Picus can help you to simulate the tactics, techniques, and procedures, as well as provide ready-to-apply mitigation suggestions for your choice of vendor.

Simulate State-Sponsored Cyber Threats with 14-Day Free Trial of Picus Platform

Midnight Blizzard’s Spear Phishing Campaigns

In this recent spear-phishing campaign observed by Microsoft Threat Intelligence, the Russian threat actor Midnight Blizzard (also known as APT29, UNC2452, or Cozy Bear) has employed a novel attack vector, leveraging Remote Desktop Protocol (RDP) configuration files to compromise targeted systems. This campaign, which began on October 22, 2024, is aimed at a variety of sectors including government, academia, defense, and non-governmental organizations across multiple countries.

1. Spear-Phishing Emails and Social Engineering Done by Midnight Blizzard

The attack begins with highly targeted spear-phishing emails sent to thousands of users across over 100 organizations. These emails are designed to appear highly credible, often impersonating employees from well-known organizations such as Microsoft or Amazon Web Services (AWS) [2]. The phishing lures frequently reference Zero Trust security concepts to further legitimize the communication.

The emails contain a malicious RDP configuration file (.RDP), which is signed with a Let's Encrypt certificate to bypass security mechanisms that might otherwise flag unsigned or suspicious files. This use of a signed file adds a layer of trust, making the attack more difficult to detect.

2. How RDP Files Work in Spear-Phishing Campaigns of APT29?

The .RDP file is a key component of this campaign. RDP configuration files are typically used to automate the setup of a remote desktop session, specifying settings such as authentication methods, resource mapping, and network configurations. In this case, the malicious .RDP file is crafted to establish a connection to an actor-controlled server.

Malicious Remote Connection to Attacker's Server

Figure 1. Malicious Remote Connection to Attacker's Server, Taken from Microsoft

Once the victim opens the .RDP file (check out the IOC section in the blog), the following sequence occurs:

  • RDP Session Initiation: The victim's device connects to the attacker-controlled RDP server.

  • Resource Mapping: The configuration file is designed to map local resources (such as logical hard drives, network drives, clipboard contents, printers, and connected peripherals) to the remote server. This bidirectional mapping allows the attacker to access and manipulate resources on the victim's device.

  • Credential Exposure: During the RDP session, user credentials (including those used for Windows authentication, such as smart cards, Windows Hello, or security keys) may be exposed to the attacker. This could enable the threat actor to harvest credentials for further exploitation.

3. Impact of the Attack

Once the RDP connection is established, the attacker can:

  • Access and Exfiltrate Data: The attacker can view and exfiltrate files, directories, and clipboard contents from the victim’s device.

  • Manipulate Peripherals: Connected peripherals, such as smart cards, printers, and microphones, can be accessed and controlled by the attacker.

  • Install Malware: The attacker may install malware on the victim’s local drives or mapped network shares, including remote access trojans (RATs) for persistent access. They could also place malicious files in AutoStart folders to ensure execution upon system startup.

Note: Midnight Blizzard is known for employing advanced techniques to gain and maintain access to victim environments. In previous campaigns, the group has used malware such as FOGGYWEB and MAGICWEB to compromise Active Directory Federation Services (AD FS), allowing them to move laterally from on-premises environments to cloud infrastructure. In addition, the reconnaissance and ex-filtration backdoor called GraphicalProton is also known to be distributed by APT29 through DLL hijacking of Zabbix and Webroot antivirus software.

  • Harvest Credentials: The attack may result in the exposure of authentication credentials, which can be used for further compromise of the victim’s network or systems.

Victimology and Intent of APT29 (a.k.a Midnight Blizzard )

Midnight Blizzard's campaign aligns with its ongoing goal of intelligence collection. Although previous APT29 campaigns focused on narrow, highly selective targeting, this latest wave appears to be cast wider, reaching over 100 organizations ([1], [2]). The campaign targets sectors typically of interest to nation-state actors, including:

  • Governmental agencies

  • Defense contractors

  • Higher education institutions

  • Non-governmental organizations (NGOs)

Geographically, the campaign has been observed in countries such as the United Kingdom, Europe, Australia, and Japan. This broader targeting aligns with Midnight Blizzard’s historical focus on espionage and intelligence collection from Western organizations.

Mitigation Steps to Take Against Large-Scale Spear Phishing Campaign with RDP Attachments

Below are CISA's recommended proactive mitigation strategies, along with the rationale behind each step and the anticipated outcomes.

Restrict Outbound RDP Connections

  • Why This Matters: RDP is a highly targeted protocol due to its widespread use for remote access. Allowing RDP connections to external or public networks exposes organizations to brute-force attacks, credential stuffing, and exploitation of unpatched vulnerabilities.

  • Recommended Action: Organizations should forbid or significantly restrict outbound RDP connections to external or public networks. Implement firewalls, secure policies, and access control lists to enforce this restriction.

  • Outcome / Impact: By restricting or entirely forbidding outbound RDP connections to the internet, organizations can significantly reduce their attack surface. This limits the risk of unauthorized access and lateral movement by attackers.

Block RDP Files in Communication Platforms

  • Why This Matters: Attackers can use RDP files to deliver malicious payloads or establish unauthorized remote sessions. These files are often shared via email or messaging platforms, making them a potential threat.

  • Recommended Action: Prohibit the transmission of RDP files through email clients and webmail services to prevent accidental execution of malicious RDP configurations.

  • Outcome / Impact: Blocking RDP files in communication platforms reduces the risk of users executing malicious RDP files, thereby preventing unauthorized remote access.

Enable Multi-Factor Authentication (MFA)

  • Why This Matters: MFA adds an essential layer of security by requiring multiple forms of verification, making it harder for attackers to gain unauthorized access, even if credentials are compromised.

  • Recommended Action: Enable multi-factor authentication wherever feasible to secure remote access. Avoid using SMS-based MFA due to its vulnerability to SIM-jacking attacks.

  • Outcome / Impact: MFA helps protect against unauthorized access, even in cases of credential theft, thereby enhancing the overall security of the organization.

Adopt Phishing-Resistant Authentication Methods

  • Why This Matters: Traditional MFA methods, such as SMS-based authentication, are vulnerable to phishing and SIM-jacking attacks. Phishing-resistant methods provide stronger protection.

  • Recommended Action: Deploy phishing-resistant authentication methods, such as FIDO tokens, to safeguard against phishing attacks. 

  • Outcome / Impact: Phishing-resistant authentication methods provide stronger protection against phishing attacks, reducing the likelihood of unauthorized access.

Implement Conditional Access Policies

  • Why This Matters: Conditional access policies ensure that only authorized users and devices can access sensitive systems, based on specific criteria like user identity, location, or device type.

  • Recommended Action: Establish Conditional Access Authentication Strength policies to enforce the use of phishing-resistant authentication methods.

  • Outcome / Impact: Conditional access policies ensure that only trusted users and devices can access critical systems, reducing the risk of unauthorized access and data breaches.

Deploy Endpoint Detection and Response (EDR)

  • Why This Matters: EDR solutions provide continuous monitoring of endpoints, allowing organizations to detect and respond to suspicious activities in real-time.

  • Recommended Action: Implement EDR solutions to continuously monitor for and respond to suspicious activities within the network.

  • Outcome / Impact: EDR enhances the organization’s ability to detect and respond to security incidents, minimizing the impact of potential attacks.

Consider Additional Security Solutions:

  • Why This Matters: While EDR is effective, additional security measures such as anti-phishing and antivirus solutions provide broader protection against a wide range of threats.

  • Recommended Action: In addition to EDR, evaluate the deployment of anti-phishing and antivirus solutions to strengthen defenses against emerging threats.

  • Outcome / Impact: By layering additional security solutions, organizations can bolster their defenses and guard against various attack vectors, reducing the likelihood of successful breaches.

Conduct User Education:

  • Why This Matters: Human error is a major factor in many security breaches, especially through social engineering and phishing attacks. Educating users on how to recognize and respond to threats is crucial.

  • Recommended Action: Implement a robust user education program that highlights how to identify and report phishing emails and other suspicious activities. Provide users with simple tips to avoid phishing.

  • Outcome / Impact: Well-informed users are less likely to fall victim to phishing and social engineering attacks, reducing the overall risk to the organization.

Hunt For Activity Using Referenced Indicators and TTPs:

  • Why This Matters: Proactively searching for known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used by attackers can help organizations identify potential threats early.

  • Recommended Action: Utilize all indicators and TTPs from relevant articles and threat reports to search for malicious activity within your network. Specifically, search for unexpected or unauthorized outbound RDP connections within the last year.

  • Outcome / Impact: Proactively hunting for malicious activity using known IOCs and TTPs improves the organization’s ability to detect and mitigate threats before they cause significant damage.

IOCs for Midnight Blizzard's RDP-Based Spear Phishing Campaign by CERT-UA#11690

The following table organizes the data by MD5 hash, SHA-256 hash, and file name for easy reference of IOCs for Midnight Blizzard’s RDP-based spear-phishing campaign, provided by CERT-UA#11690 [3].

File Name

MD5 Hash

SHA-256 Hash

Zero Trust Architecture Configuration.rdp

a5de73d69c1a7fbae2e71b98d48fe9b5

34c88cd591f73bc47a1a0fe2a4f594f628be98ad2366eeb4e467595115d8505a

ZTS Device Compatibility Test.rdp

8bcb741a204c25232a11a7084aa2221f

071276e907f185d9e341d549b198e60741e2c7f8d64dd2ca2c5d88d50b2c6ffc

Device Configuration Verification.rdp

86f58115c891ce91b7364e5ff0314b31

6e6680786fa5b023cf301b6bc5faaa89c86dc34b696f4b078cf22b1b353d5d3c

Zero Trust Architecture Configuration.rdp

80b3cad4f70b6ea8924aa13d2730328b

31f2cc1157248aec5135147073e49406d057bebf78b3361dd7cbb6e37708fbcc

Device Security Requirements Check.rdp

c0da30b71d58e071fc5863381444d9f0

88fd6a36e8a61597dd71755b985e5fcd0b8308b69fc0f4b0fc7960fb80018622

Device Security Requirements Check.rdp

1595266bb78dc1e3d67f929154824c74

b8327671ebc20db6f09efc4f19bd8c39d9e28c9a37bdd15b2fd62ade208d2e8a

Device Configuration Verification.rdp

222c83d156a41735c38cc552a7084a86

a5bbb109faefcecba695a84a737f5e47fa418cea39d654bb512a6f4a0b148758

Zero Trust Architecture Configuration.rdp

fa9af43e9bbb55b7512b369084d91f4d

5534cc837ba4fa3726322883449b3e97ca3e0d28c0ccf468b868397fdfa44e0b

Zero Trust Security Environment Compliance Check.rdp

281a28800a4ba744bfde7b4aff46f24e

b9ab481e7a9a92cfa2d53de8e7a3c75287cff6a3374f4202ec16ea9e03d80a0b

Device Configuration Verification.rdp

d37cd2c462af0e0643076b20c5ff561e

18a078a976734c9ec562f5dfa3f5904ef5d37000fb8c1f5bd0dc2dee47203bf9

AWS IAM Quick Start.rdp

e465a4191a93195094a803e5d4703a90

bb4d5a3f7a40c895882b73e1aca8c71ea40cef6c4f6732bec36e6342f6e2487a

Device Configuration Verification.rdp

3f753810430b26b94a172fbf816e7d76

ef4bd88ec5e8b401594b22632fd05e401658cf78de681f81409eadf93f412ebd

Zero Trust Security Environment Compliance Check.rdp

434ffae8cfc3caa370be2e69ffaa95d1

1cfe29f214d1177b66aec2b0d039fec47dd94c751fa95d34bc5da3bbab02213a

ZTS Device Compatibility Test.rdp

c287c05d91a19796b2649ebebd27394b

3a2496db64507311f5fbd3aba0228b653f673fc2152a267a1386cbab33798db5

AWS IAM Configuration.rdp

aabbfd1acd3f3a2212e348f2d6f169fc

984082823dc1f122a1bb505700c25b27332f54942496814dfd0c68de0eba59dc

Zero Trust Security Environment Compliance Check.rdp

b0a0ad4093e781a278541e4b01daa7a8

383e63f40aecdd508e1790a8b7535e41b06b3f6984bb417218ca96e554b1164b

Device Security Requirements Check.rdp

a18a1cad9df5b409963601c8e30669e4

296d446cb2ad93255c45a2d4b674bbacb6d1581a94cf6bb5e54df5a742502680

ZTS Device Compatibility Test.rdp

cbbc4903da831b6f1dc39d0c8d3fc413

129ba064dfd9981575c00419ee9df1c7711679abc974fa4086076ebc3dc964f5

AWS IAM Quick Start.rdp

bd711dc427e17cc724f288cc5c3b0842

f2acb92d0793d066e9414bc9e0369bd3ffa047b40720fe3bd3f2c0875d17a1cb

AWS IAM Compliance Check.rdp

b38e7e8bba44bc5619b2689024ad9fca

f357d26265a59e9c356be5a8ddb8d6533d1de222aae969c2ad4dc9c40863bfe8

AWS IAM Configuration.rdp

40f957b756096fa6b80f95334ba92034

280fbf353fdffefc5a0af40c706377142fff718c7b87bc8b0daab10849f388d0

Zero Trust Security Environment Compliance Check.rdp

db326d934e386059cc56c4e61695128e

8b45f5a173e8e18b0d5c544f9221d7a1759847c28e62a25210ad8265f07e96d5

Zero Trust Security Environment Compliance Check.rdp

f58cf55b944f5942f1d120d95140b800

ba4d58f2c5903776fe47c92a0ec3297cc7b9c8fa16b3bf5f40b46242e7092b46

How Picus Helps Simulate APT29 (a.k.a Midnight Blizzard) Attacks?

We strongly suggest simulating APT29 (a.k.a Midnight Blizzard, Cozy Bear) attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other state-sponsored threat actors, such as APT40, Lazarus, and Volt Typhoon, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Midnight Blizzard aka APT29:

Threat ID

Threat Name

Attack Module

35957

APT29 Group Campaign 2020

Windows Endpoint

43027

APT29 Dropping Brute Ratel Campaign 2022

Windows Endpoint

39050

UNC2452 Threat Group SolarWinds/SUNBURST Campaign 2020

Windows Endpoint

31911

APT29 Threat Group Campaign Malware Download Threat - 2

Network Infiltration

43072

APT29 Threat Group Campaign Malware Email Threat - 2

E-mail Infiltration (Phishing)

23181

APT29 Threat Group Campaign Backdoor Malware Download Threat

Network Infiltration

66164

APT29 Threat Group Campaign Backdoor Malware Email Threat

E-mail Infiltration (Phishing)

60593

APT29 Threat Group Campaign Malware Downloader Download Threat

Network Infiltration

62913

APT29 Threat Group Campaign Malware Downloader Email Threat

E-mail Infiltration (Phishing)

80648

APT29 Threat Group Campaign Malware Dropper Download Threat

Network Infiltration

42743

APT29 Threat Group Campaign Malware Dropper Email Threat

E-mail Infiltration (Phishing)

25539

APT29 Threat Group Campaign Malware Download Threat - 1

Network Infiltration

27133

APT29 Threat Group Campaign Malware Email Threat - 1

E-mail Infiltration (Phishing)

52293

GraphicalProton Backdoor Malware Download Threat

Network Infiltration

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address malware and vulnerabilities exploited by the APT29 group in preventive security controls. Currently, Picus Labs validated the following signatures for APT29 Group:

Security Control

Signature ID

Signature Name

CheckPoint

0B6090696

UDS:DangerousObject.Multi.Generic.TC.3a78qZlV

CheckPoint

0FFC1CE32

Trojan.Win32.CozyDuke.TC.fe0eimrU

CheckPoint

0CB0935C7

TS_Dropper.Win32.CozyDuke.TC.c219pcxF

CheckPoint

0C611B34C

Trojan.Win32.Generic.TC.fb3fvPnA

CheckPoint

0E6F76903

Downloader.Win32.ICEBEAT.TC.bb30HcBx

CheckPoint

0B1C50252

Downloader.Win32.STATICNOISE.TC.d6b5tRmt

CheckPoint

0FBD4F59A

Backdoor.undefined.GraphicalProton.TC.194aibLp

CheckPoint

0CD114C55

Backdoor.Win32.GraphicalProton.TC.5e7dpGBo

CheckPoint

0D7AD2DE8

Backdoor.undefined.GraphicalProton.TC.e6d0afZI

CheckPoint

0A452A9B3

Backdoor.Win32.GraphicalProton.TC.3847IObR

CheckPoint

0F887CFAD

Trojan.Win32.JloRat.TC.13e5NPGA

CheckPoint

09CAEB4A3

Downloader.Win32.Tomiris.TC.1147qTJN

CheckPoint

098595C3A

Generic.Win32.Generic.TC.27b4Semr

CheckPoint

0DF095355

Generic.Win32.Generic.TC.3f1dpToM

CheckPoint

0DD710230

Phishing.Win32.Malicious.TC.bb18rfmN

CheckPoint

09D11BEF1

Infostealer.Win32.Duke.TC.c8a5GQEX

CheckPoint

0D4060896

Backdoor.Win32.WineLoader.TC.9424nHPe

CheckPoint

0A1632938

UDS:Trojan.Win32.CozyDuke.gen.TC.8d9dkPPr

CheckPoint

0DA007E38

Trojan.Win32.CozyDuke.TC.ae99tzIy

CheckPoint

0FCEBCE53

Trojan.Win32.CozyDuke.TC.7b03kPMn

CheckPoint

0DC9B2F61

HEUR:Trojan.Win32.CozyDuke.gen.TC.b8d4KOcT

CheckPoint

0C8BCCC3A

Dropper.Win32.APT29.TC.s

CheckPoint

0B85A9C04

Dropper.Win32.APT29.TC.cn

CheckPoint

081CE661C

UDS:Trojan.Win32.CozyDuke.gen.TC.fa5eKtxy

CheckPoint

0AABC3668

UDS:DangerousObject.Multi.Generic.TC.4d77iJAf

CheckPoint

0FBD4F59A

Backdoor.undefined.GraphicalProton.TC.194aibLp

CheckPoint

0CD114C55

Backdoor.Win32.GraphicalProton.TC.5e7dpGBo

CheckPoint

0D7AD2DE8

Backdoor.undefined.GraphicalProton.TC.e6d0afZI

CheckPoint

0A452A9B3

Backdoor.Win32.GraphicalProton.TC.3847IObR

CheckPoint

0BA49BF69

Backdoor.undefined.GraphicalProton.TC.be58Ftsr

ForcePoint NGFW

N/A

File_Malware-Blocked

Fortinet AV

6602569

W32/Spy.ADY!tr

Fortinet AV

10145123

W64/Dukes.K!tr

Fortinet AV

10140721

W64/Dukes.I!tr

Fortinet AV

10147747

W32/Dukes.N!tr

Fortinet AV

10165121

W64/Dukes.RCE!tr

Fortinet AV

58991

W32/PossibleThreat

Fortinet AV

8233130

Malicious_Behavior.SB

Fortinet AV

10003530

PossibleThreat.FAI

Fortinet AV

7024603

Malware_Generic.P0

Fortinet AV

10146717

PDF/Agent.BLOB!tr.dldr

Fortinet AV

10176121

HTML/Phish.UDC!tr

Trellix

0x4840c900

MALWARE: Malicious File Detected by GTI

Palo Alto

44339436

Trojan/Win32.fr.wi

Palo Alto

42029343

Trojan/Win32.cozer.ae

Palo Alto

597771822

trojan/Win32.dukes.h

Palo Alto

595074318

trojan/Win32.tedy.boj

Palo Alto

595913958

Virus/Win32.highconfidence.az

Palo Alto

620305872

Trojan/Win32.vaporrage.j

Palo Alto

437070660

trojan/Win32 EXE.vilsel.ajusb

Palo Alto

353612592

Trojan/Win32.sorefang.a

Palo Alto

328980909

trojan/Win32 EXE.artemis.ahzn

Palo Alto

582175074

Virus/Win32.WGeneric.dyooab

Palo Alto

634886022

Virus/Win32.phish.hzda

Palo Alto

620305872

Trojan/Win32.vaporrage.j

Palo Alto

620517549

Trojan/Win32.vaporrage.k

Palo Alto

620304432

Trojan/Win32.vaporrage.i

Palo Alto

620271918

Trojan/Win32.vaporrage.g

Snort

1.53658.1

MALWARE-OTHER Cobalt Strike x64 executable download attempt

Snort

1.18682.15

FILE-PDF transfer of a PDF with OpenAction object attempt

Cisco FirePower

N/A

Win.Dropper.Cozer::in01

Cisco FirePower

1.53205.2

INDICATOR-OBFUSCATION Win.Dropper.Vivin download attempt

Cisco FirePower

 

W32.C37C109171-95.SBX.TG

Cisco FirePower

 

Auto.EBE231.262551.in02

Cisco FirePower

 

W32.620D2BF14F.in12.Talos

Cisco FirePower

 

W32.773F010272-95.SBX.TG

Cisco FirePower

 

Win64:Mal.26nn.in14.Talos

Cisco FirePower

 

W32.TR:Trojan.27fh.1201

Cisco FirePower

 

Auto.4C7D0E.262139.in02

Cisco FirePower

 

W32.Auto:8199f30947.in03.Talos

Cisco FirePower

 

Downloader:GenericKD-tpd

Cisco FirePower

1.55203.1

MALWARE-OTHER Win.Trojan.SoreFang malicious executable download attempt

Cisco FirePower

1.18682.15

FILE-PDF transfer of a PDF with OpenAction object attempt

Cisco FirePower

 

Auto.DA72F2.271661.in02

Cisco FirePower

 

W32.C37C109171-95.SBX.TG

Cisco FirePower

 

Auto.EBE231.262551.in02

Cisco FirePower

 

W32.620D2BF14F.in12.Talos

Cisco FirePower

 

W32.773F010272-95.SBX.TG

TrendMicro

24932

HTTP: Suspicious Javascript Obfuscation

TrendMicro

3232

HTTP: RFC 2397 Data URL Scheme Policy

TrendMicro

13460

HTTP: PDF Containing /Type/EmbeddedFile

References

[1] M. T. Intelligence, “Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files,” Microsoft Security Blog, Oct. 29, 2024. Available: https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/. [Accessed: Nov. 01, 2024]

[2] “Amazon identified internet domains abused by APT29,” Amazon Web Services, Oct. 24, 2024. Available: https://aws.amazon.com/blogs/security/amazon-identified-internet-domains-abused-by-apt29/. [Accessed: Nov. 01, 2024]

[3] “CERT-UA,” cert.gov.ua. Available: https://cert.gov.ua/. [Accessed: Nov. 01, 2024]