Understanding and Mitigating Midnight Blizzard's RDP-Based Spear Phishing Campaign

Starting from late October 2024, Russian state-sponsored threat actor Midnight Blizzard, also known as APT29 & Cozy Bear, has been actively deploying a sophisticated spear-phishing campaign targeting thousands of individuals across government, academia, and defense sectors, as well as NGOs [1]. Threat intelligence units at Microsoft, Amazon, and CERT-UA have published overlapping reports showing that Midnight Blizzard is leveraging an unusual combination of attack vectors, likely aimed at gathering intelligence and gaining privileged access across affected organizations.

In this blog, we are going to provide an overview of Midnight Blizzard’s attack campaigns, the key mitigation steps that you have to take (as suggested by CISA’s Alert), and how Picus can help you to simulate the tactics, techniques, and procedures, as well as provide ready-to-apply mitigation suggestions for your choice of vendor.

Simulate State-Sponsored Cyber Threats with 14-Day Free Trial of Picus Platform

Midnight Blizzard’s Spear Phishing Campaigns

In this recent spear-phishing campaign observed by Microsoft Threat Intelligence, the Russian threat actor Midnight Blizzard (also known as APT29, UNC2452, or Cozy Bear) has employed a novel attack vector, leveraging Remote Desktop Protocol (RDP) configuration files to compromise targeted systems. This campaign, which began on October 22, 2024, is aimed at a variety of sectors including government, academia, defense, and non-governmental organizations across multiple countries.

1. Spear-Phishing Emails and Social Engineering Done by Midnight Blizzard

The attack begins with highly targeted spear-phishing emails sent to thousands of users across over 100 organizations. These emails are designed to appear highly credible, often impersonating employees from well-known organizations such as Microsoft or Amazon Web Services (AWS) [2]. The phishing lures frequently reference Zero Trust security concepts to further legitimize the communication.

The emails contain a malicious RDP configuration file (.RDP), which is signed with a Let's Encrypt certificate to bypass security mechanisms that might otherwise flag unsigned or suspicious files. This use of a signed file adds a layer of trust, making the attack more difficult to detect.

2. How RDP Files Work in Spear-Phishing Campaigns of APT29?

The .RDP file is a key component of this campaign. RDP configuration files are typically used to automate the setup of a remote desktop session, specifying settings such as authentication methods, resource mapping, and network configurations. In this case, the malicious .RDP file is crafted to establish a connection to an actor-controlled server.

Figure 1. Malicious Remote Connection to Attacker's Server, Taken from Microsoft

Once the victim opens the .RDP file (check out the IOC section in the blog), the following sequence occurs:

• RDP Session Initiation: The victim's device connects to the attacker-controlled RDP server.

• Resource Mapping: The configuration file is designed to map local resources (such as logical hard drives, network drives, clipboard contents, printers, and connected peripherals) to the remote server. This bidirectional mapping allows the attacker to access and manipulate resources on the victim's device.

• Credential Exposure: During the RDP session, user credentials (including those used for Windows authentication, such as smart cards, Windows Hello, or security keys) may be exposed to the attacker. This could enable the threat actor to harvest credentials for further exploitation.

3. Impact of the Attack

Once the RDP connection is established, the attacker can:

• Access and Exfiltrate Data: The attacker can view and exfiltrate files, directories, and clipboard contents from the victim’s device.

• Manipulate Peripherals: Connected peripherals, such as smart cards, printers, and microphones, can be accessed and controlled by the attacker.

• Install Malware: The attacker may install malware on the victim’s local drives or mapped network shares, including remote access trojans (RATs) for persistent access. They could also place malicious files in AutoStart folders to ensure execution upon system startup.

• Harvest Credentials: The attack may result in the exposure of authentication credentials, which can be used for further compromise of the victim’s network or systems.

Victimology and Intent of APT29 (a.k.a Midnight Blizzard )

Midnight Blizzard's campaign aligns with its ongoing goal of intelligence collection. Although previous APT29 campaigns focused on narrow, highly selective targeting, this latest wave appears to be cast wider, reaching over 100 organizations ([1], [2]). The campaign targets sectors typically of interest to nation-state actors, including:

• Governmental agencies

• Defense contractors

• Higher education institutions

• Non-governmental organizations (NGOs)

Geographically, the campaign has been observed in countries such as the United Kingdom, Europe, Australia, and Japan. This broader targeting aligns with Midnight Blizzard’s historical focus on espionage and intelligence collection from Western organizations.

Mitigation Steps to Take Against Large-Scale Spear Phishing Campaign with RDP Attachments

Below are CISA's recommended proactive mitigation strategies, along with the rationale behind each step and the anticipated outcomes.

Restrict Outbound RDP Connections

• Why This Matters: RDP is a highly targeted protocol due to its widespread use for remote access. Allowing RDP connections to external or public networks exposes organizations to brute-force attacks, credential stuffing, and exploitation of unpatched vulnerabilities.

• Recommended Action: Organizations should forbid or significantly restrict outbound RDP connections to external or public networks. Implement firewalls, secure policies, and access control lists to enforce this restriction.

• Outcome / Impact: By restricting or entirely forbidding outbound RDP connections to the internet, organizations can significantly reduce their attack surface. This limits the risk of unauthorized access and lateral movement by attackers.

Block RDP Files in Communication Platforms

• Why This Matters: Attackers can use RDP files to deliver malicious payloads or establish unauthorized remote sessions. These files are often shared via email or messaging platforms, making them a potential threat.

• Recommended Action: Prohibit the transmission of RDP files through email clients and webmail services to prevent accidental execution of malicious RDP configurations.

• Outcome / Impact: Blocking RDP files in communication platforms reduces the risk of users executing malicious RDP files, thereby preventing unauthorized remote access.

Enable Multi-Factor Authentication (MFA)

• Why This Matters: MFA adds an essential layer of security by requiring multiple forms of verification, making it harder for attackers to gain unauthorized access, even if credentials are compromised.

• Recommended Action: Enable multi-factor authentication wherever feasible to secure remote access. Avoid using SMS-based MFA due to its vulnerability to SIM-jacking attacks.

• Outcome / Impact: MFA helps protect against unauthorized access, even in cases of credential theft, thereby enhancing the overall security of the organization.

Adopt Phishing-Resistant Authentication Methods

• Why This Matters: Traditional MFA methods, such as SMS-based authentication, are vulnerable to phishing and SIM-jacking attacks. Phishing-resistant methods provide stronger protection.

• Recommended Action: Deploy phishing-resistant authentication methods, such as FIDO tokens, to safeguard against phishing attacks. 

• Outcome / Impact: Phishing-resistant authentication methods provide stronger protection against phishing attacks, reducing the likelihood of unauthorized access.

Implement Conditional Access Policies

• Why This Matters: Conditional access policies ensure that only authorized users and devices can access sensitive systems, based on specific criteria like user identity, location, or device type.

• Recommended Action: Establish Conditional Access Authentication Strength policies to enforce the use of phishing-resistant authentication methods.

• Outcome / Impact: Conditional access policies ensure that only trusted users and devices can access critical systems, reducing the risk of unauthorized access and data breaches.

Deploy Endpoint Detection and Response (EDR)

• Why This Matters: EDR solutions provide continuous monitoring of endpoints, allowing organizations to detect and respond to suspicious activities in real-time.

• Recommended Action: Implement EDR solutions to continuously monitor for and respond to suspicious activities within the network.

• Outcome / Impact: EDR enhances the organization’s ability to detect and respond to security incidents, minimizing the impact of potential attacks.

Consider Additional Security Solutions:

• Why This Matters: While EDR is effective, additional security measures such as anti-phishing and antivirus solutions provide broader protection against a wide range of threats.

• Recommended Action: In addition to EDR, evaluate the deployment of anti-phishing and antivirus solutions to strengthen defenses against emerging threats.

• Outcome / Impact: By layering additional security solutions, organizations can bolster their defenses and guard against various attack vectors, reducing the likelihood of successful breaches.

Conduct User Education:

• Why This Matters: Human error is a major factor in many security breaches, especially through social engineering and phishing attacks. Educating users on how to recognize and respond to threats is crucial.

• Recommended Action: Implement a robust user education program that highlights how to identify and report phishing emails and other suspicious activities. Provide users with simple tips to avoid phishing.

• Outcome / Impact: Well-informed users are less likely to fall victim to phishing and social engineering attacks, reducing the overall risk to the organization.

Hunt For Activity Using Referenced Indicators and TTPs:

• Why This Matters: Proactively searching for known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used by attackers can help organizations identify potential threats early.

• Recommended Action: Utilize all indicators and TTPs from relevant articles and threat reports to search for malicious activity within your network. Specifically, search for unexpected or unauthorized outbound RDP connections within the last year.

• Outcome / Impact: Proactively hunting for malicious activity using known IOCs and TTPs improves the organization’s ability to detect and mitigate threats before they cause significant damage.

IOCs for Midnight Blizzard's RDP-Based Spear Phishing Campaign by CERT-UA#11690

The following table organizes the data by MD5 hash, SHA-256 hash, and file name for easy reference of IOCs for Midnight Blizzard’s RDP-based spear-phishing campaign, provided by CERT-UA#11690 [3].

How Picus Helps Simulate APT29 (a.k.a Midnight Blizzard) Attacks?

We strongly suggest simulating APT29 (a.k.a Midnight Blizzard, Cozy Bear) attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other state-sponsored threat actors, such as APT40, Lazarus, and Volt Typhoon, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Midnight Blizzard aka APT29:

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address malware and vulnerabilities exploited by the APT29 group in preventive security controls. Currently, Picus Labs validated the following signatures for APT29 Group:

References

[1] M. T. Intelligence, “Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files,” Microsoft Security Blog, Oct. 29, 2024. Available: https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/. [Accessed: Nov. 01, 2024]

[2] “Amazon identified internet domains abused by APT29,” Amazon Web Services, Oct. 24, 2024. Available: https://aws.amazon.com/blogs/security/amazon-identified-internet-domains-abused-by-apt29/. [Accessed: Nov. 01, 2024]

[3] “CERT-UA,” cert.gov.ua. Available: https://cert.gov.ua/. [Accessed: Nov. 01, 2024]