Starting from late October 2024, Russian state-sponsored threat actor Midnight Blizzard, also known as APT29 & Cozy Bear, has been actively deploying a sophisticated spear-phishing campaign targeting thousands of individuals across government, academia, and defense sectors, as well as NGOs [1]. Threat intelligence units at Microsoft, Amazon, and CERT-UA have published overlapping reports showing that Midnight Blizzard is leveraging an unusual combination of attack vectors, likely aimed at gathering intelligence and gaining privileged access across affected organizations.
In this blog, we are going to provide an overview of Midnight Blizzard’s attack campaigns, the key mitigation steps that you have to take (as suggested by CISA’s Alert), and how Picus can help you to simulate the tactics, techniques, and procedures, as well as provide ready-to-apply mitigation suggestions for your choice of vendor.
Simulate State-Sponsored Cyber Threats with 14-Day Free Trial of Picus Platform
In this recent spear-phishing campaign observed by Microsoft Threat Intelligence, the Russian threat actor Midnight Blizzard (also known as APT29, UNC2452, or Cozy Bear) has employed a novel attack vector, leveraging Remote Desktop Protocol (RDP) configuration files to compromise targeted systems. This campaign, which began on October 22, 2024, is aimed at a variety of sectors including government, academia, defense, and non-governmental organizations across multiple countries.
The attack begins with highly targeted spear-phishing emails sent to thousands of users across over 100 organizations. These emails are designed to appear highly credible, often impersonating employees from well-known organizations such as Microsoft or Amazon Web Services (AWS) [2]. The phishing lures frequently reference Zero Trust security concepts to further legitimize the communication.
The emails contain a malicious RDP configuration file (.RDP), which is signed with a Let's Encrypt certificate to bypass security mechanisms that might otherwise flag unsigned or suspicious files. This use of a signed file adds a layer of trust, making the attack more difficult to detect.
The .RDP file is a key component of this campaign. RDP configuration files are typically used to automate the setup of a remote desktop session, specifying settings such as authentication methods, resource mapping, and network configurations. In this case, the malicious .RDP file is crafted to establish a connection to an actor-controlled server.
Figure 1. Malicious Remote Connection to Attacker's Server, Taken from Microsoft
Once the victim opens the .RDP file (check out the IOC section in the blog), the following sequence occurs:
RDP Session Initiation: The victim's device connects to the attacker-controlled RDP server.
Resource Mapping: The configuration file is designed to map local resources (such as logical hard drives, network drives, clipboard contents, printers, and connected peripherals) to the remote server. This bidirectional mapping allows the attacker to access and manipulate resources on the victim's device.
Credential Exposure: During the RDP session, user credentials (including those used for Windows authentication, such as smart cards, Windows Hello, or security keys) may be exposed to the attacker. This could enable the threat actor to harvest credentials for further exploitation.
Once the RDP connection is established, the attacker can:
Access and Exfiltrate Data: The attacker can view and exfiltrate files, directories, and clipboard contents from the victim’s device.
Manipulate Peripherals: Connected peripherals, such as smart cards, printers, and microphones, can be accessed and controlled by the attacker.
Install Malware: The attacker may install malware on the victim’s local drives or mapped network shares, including remote access trojans (RATs) for persistent access. They could also place malicious files in AutoStart folders to ensure execution upon system startup.
|
Note: Midnight Blizzard is known for employing advanced techniques to gain and maintain access to victim environments. In previous campaigns, the group has used malware such as FOGGYWEB and MAGICWEB to compromise Active Directory Federation Services (AD FS), allowing them to move laterally from on-premises environments to cloud infrastructure. In addition, the reconnaissance and ex-filtration backdoor called GraphicalProton is also known to be distributed by APT29 through DLL hijacking of Zabbix and Webroot antivirus software. |
Harvest Credentials: The attack may result in the exposure of authentication credentials, which can be used for further compromise of the victim’s network or systems.
Midnight Blizzard's campaign aligns with its ongoing goal of intelligence collection. Although previous APT29 campaigns focused on narrow, highly selective targeting, this latest wave appears to be cast wider, reaching over 100 organizations ([1], [2]). The campaign targets sectors typically of interest to nation-state actors, including:
Governmental agencies
Defense contractors
Higher education institutions
Non-governmental organizations (NGOs)
Geographically, the campaign has been observed in countries such as the United Kingdom, Europe, Australia, and Japan. This broader targeting aligns with Midnight Blizzard’s historical focus on espionage and intelligence collection from Western organizations.
Below are CISA's recommended proactive mitigation strategies, along with the rationale behind each step and the anticipated outcomes.
Why This Matters: RDP is a highly targeted protocol due to its widespread use for remote access. Allowing RDP connections to external or public networks exposes organizations to brute-force attacks, credential stuffing, and exploitation of unpatched vulnerabilities.
Recommended Action: Organizations should forbid or significantly restrict outbound RDP connections to external or public networks. Implement firewalls, secure policies, and access control lists to enforce this restriction.
Outcome / Impact: By restricting or entirely forbidding outbound RDP connections to the internet, organizations can significantly reduce their attack surface. This limits the risk of unauthorized access and lateral movement by attackers.
Why This Matters: Attackers can use RDP files to deliver malicious payloads or establish unauthorized remote sessions. These files are often shared via email or messaging platforms, making them a potential threat.
Recommended Action: Prohibit the transmission of RDP files through email clients and webmail services to prevent accidental execution of malicious RDP configurations.
Outcome / Impact: Blocking RDP files in communication platforms reduces the risk of users executing malicious RDP files, thereby preventing unauthorized remote access.
Why This Matters: MFA adds an essential layer of security by requiring multiple forms of verification, making it harder for attackers to gain unauthorized access, even if credentials are compromised.
Recommended Action: Enable multi-factor authentication wherever feasible to secure remote access. Avoid using SMS-based MFA due to its vulnerability to SIM-jacking attacks.
Outcome / Impact: MFA helps protect against unauthorized access, even in cases of credential theft, thereby enhancing the overall security of the organization.
Why This Matters: Traditional MFA methods, such as SMS-based authentication, are vulnerable to phishing and SIM-jacking attacks. Phishing-resistant methods provide stronger protection.
Recommended Action: Deploy phishing-resistant authentication methods, such as FIDO tokens, to safeguard against phishing attacks.
Outcome / Impact: Phishing-resistant authentication methods provide stronger protection against phishing attacks, reducing the likelihood of unauthorized access.
Why This Matters: Conditional access policies ensure that only authorized users and devices can access sensitive systems, based on specific criteria like user identity, location, or device type.
Recommended Action: Establish Conditional Access Authentication Strength policies to enforce the use of phishing-resistant authentication methods.
Outcome / Impact: Conditional access policies ensure that only trusted users and devices can access critical systems, reducing the risk of unauthorized access and data breaches.
Why This Matters: EDR solutions provide continuous monitoring of endpoints, allowing organizations to detect and respond to suspicious activities in real-time.
Recommended Action: Implement EDR solutions to continuously monitor for and respond to suspicious activities within the network.
Outcome / Impact: EDR enhances the organization’s ability to detect and respond to security incidents, minimizing the impact of potential attacks.
Why This Matters: While EDR is effective, additional security measures such as anti-phishing and antivirus solutions provide broader protection against a wide range of threats.
Recommended Action: In addition to EDR, evaluate the deployment of anti-phishing and antivirus solutions to strengthen defenses against emerging threats.
Outcome / Impact: By layering additional security solutions, organizations can bolster their defenses and guard against various attack vectors, reducing the likelihood of successful breaches.
Why This Matters: Human error is a major factor in many security breaches, especially through social engineering and phishing attacks. Educating users on how to recognize and respond to threats is crucial.
Recommended Action: Implement a robust user education program that highlights how to identify and report phishing emails and other suspicious activities. Provide users with simple tips to avoid phishing.
Outcome / Impact: Well-informed users are less likely to fall victim to phishing and social engineering attacks, reducing the overall risk to the organization.
Why This Matters: Proactively searching for known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used by attackers can help organizations identify potential threats early.
Recommended Action: Utilize all indicators and TTPs from relevant articles and threat reports to search for malicious activity within your network. Specifically, search for unexpected or unauthorized outbound RDP connections within the last year.
Outcome / Impact: Proactively hunting for malicious activity using known IOCs and TTPs improves the organization’s ability to detect and mitigate threats before they cause significant damage.
The following table organizes the data by MD5 hash, SHA-256 hash, and file name for easy reference of IOCs for Midnight Blizzard’s RDP-based spear-phishing campaign, provided by CERT-UA#11690 [3].
|
File Name |
MD5 Hash |
SHA-256 Hash |
|
Zero Trust Architecture Configuration.rdp |
a5de73d69c1a7fbae2e71b98d48fe9b5 |
34c88cd591f73bc47a1a0fe2a4f594f628be98ad2366eeb4e467595115d8505a |
|
ZTS Device Compatibility Test.rdp |
8bcb741a204c25232a11a7084aa2221f |
071276e907f185d9e341d549b198e60741e2c7f8d64dd2ca2c5d88d50b2c6ffc |
|
Device Configuration Verification.rdp |
86f58115c891ce91b7364e5ff0314b31 |
6e6680786fa5b023cf301b6bc5faaa89c86dc34b696f4b078cf22b1b353d5d3c |
|
Zero Trust Architecture Configuration.rdp |
80b3cad4f70b6ea8924aa13d2730328b |
31f2cc1157248aec5135147073e49406d057bebf78b3361dd7cbb6e37708fbcc |
|
Device Security Requirements Check.rdp |
c0da30b71d58e071fc5863381444d9f0 |
88fd6a36e8a61597dd71755b985e5fcd0b8308b69fc0f4b0fc7960fb80018622 |
|
Device Security Requirements Check.rdp |
1595266bb78dc1e3d67f929154824c74 |
b8327671ebc20db6f09efc4f19bd8c39d9e28c9a37bdd15b2fd62ade208d2e8a |
|
Device Configuration Verification.rdp |
222c83d156a41735c38cc552a7084a86 |
a5bbb109faefcecba695a84a737f5e47fa418cea39d654bb512a6f4a0b148758 |
|
Zero Trust Architecture Configuration.rdp |
fa9af43e9bbb55b7512b369084d91f4d |
5534cc837ba4fa3726322883449b3e97ca3e0d28c0ccf468b868397fdfa44e0b |
|
Zero Trust Security Environment Compliance Check.rdp |
281a28800a4ba744bfde7b4aff46f24e |
b9ab481e7a9a92cfa2d53de8e7a3c75287cff6a3374f4202ec16ea9e03d80a0b |
|
Device Configuration Verification.rdp |
d37cd2c462af0e0643076b20c5ff561e |
18a078a976734c9ec562f5dfa3f5904ef5d37000fb8c1f5bd0dc2dee47203bf9 |
|
AWS IAM Quick Start.rdp |
e465a4191a93195094a803e5d4703a90 |
bb4d5a3f7a40c895882b73e1aca8c71ea40cef6c4f6732bec36e6342f6e2487a |
|
Device Configuration Verification.rdp |
3f753810430b26b94a172fbf816e7d76 |
ef4bd88ec5e8b401594b22632fd05e401658cf78de681f81409eadf93f412ebd |
|
Zero Trust Security Environment Compliance Check.rdp |
434ffae8cfc3caa370be2e69ffaa95d1 |
1cfe29f214d1177b66aec2b0d039fec47dd94c751fa95d34bc5da3bbab02213a |
|
ZTS Device Compatibility Test.rdp |
c287c05d91a19796b2649ebebd27394b |
3a2496db64507311f5fbd3aba0228b653f673fc2152a267a1386cbab33798db5 |
|
AWS IAM Configuration.rdp |
aabbfd1acd3f3a2212e348f2d6f169fc |
984082823dc1f122a1bb505700c25b27332f54942496814dfd0c68de0eba59dc |
|
Zero Trust Security Environment Compliance Check.rdp |
b0a0ad4093e781a278541e4b01daa7a8 |
383e63f40aecdd508e1790a8b7535e41b06b3f6984bb417218ca96e554b1164b |
|
Device Security Requirements Check.rdp |
a18a1cad9df5b409963601c8e30669e4 |
296d446cb2ad93255c45a2d4b674bbacb6d1581a94cf6bb5e54df5a742502680 |
|
ZTS Device Compatibility Test.rdp |
cbbc4903da831b6f1dc39d0c8d3fc413 |
129ba064dfd9981575c00419ee9df1c7711679abc974fa4086076ebc3dc964f5 |
|
AWS IAM Quick Start.rdp |
bd711dc427e17cc724f288cc5c3b0842 |
f2acb92d0793d066e9414bc9e0369bd3ffa047b40720fe3bd3f2c0875d17a1cb |
|
AWS IAM Compliance Check.rdp |
b38e7e8bba44bc5619b2689024ad9fca |
f357d26265a59e9c356be5a8ddb8d6533d1de222aae969c2ad4dc9c40863bfe8 |
|
AWS IAM Configuration.rdp |
40f957b756096fa6b80f95334ba92034 |
280fbf353fdffefc5a0af40c706377142fff718c7b87bc8b0daab10849f388d0 |
|
Zero Trust Security Environment Compliance Check.rdp |
db326d934e386059cc56c4e61695128e |
8b45f5a173e8e18b0d5c544f9221d7a1759847c28e62a25210ad8265f07e96d5 |
|
Zero Trust Security Environment Compliance Check.rdp |
f58cf55b944f5942f1d120d95140b800 |
ba4d58f2c5903776fe47c92a0ec3297cc7b9c8fa16b3bf5f40b46242e7092b46 |
We strongly suggest simulating APT29 (a.k.a Midnight Blizzard, Cozy Bear) attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other state-sponsored threat actors, such as APT40, Lazarus, and Volt Typhoon, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Midnight Blizzard aka APT29:
|
Threat ID |
Threat Name |
Attack Module |
|
35957 |
APT29 Group Campaign 2020 |
Windows Endpoint |
|
43027 |
APT29 Dropping Brute Ratel Campaign 2022 |
Windows Endpoint |
|
39050 |
UNC2452 Threat Group SolarWinds/SUNBURST Campaign 2020 |
Windows Endpoint |
|
31911 |
APT29 Threat Group Campaign Malware Download Threat - 2 |
Network Infiltration |
|
43072 |
APT29 Threat Group Campaign Malware Email Threat - 2 |
E-mail Infiltration (Phishing) |
|
23181 |
APT29 Threat Group Campaign Backdoor Malware Download Threat |
Network Infiltration |
|
66164 |
APT29 Threat Group Campaign Backdoor Malware Email Threat |
E-mail Infiltration (Phishing) |
|
60593 |
APT29 Threat Group Campaign Malware Downloader Download Threat |
Network Infiltration |
|
62913 |
APT29 Threat Group Campaign Malware Downloader Email Threat |
E-mail Infiltration (Phishing) |
|
80648 |
APT29 Threat Group Campaign Malware Dropper Download Threat |
Network Infiltration |
|
42743 |
APT29 Threat Group Campaign Malware Dropper Email Threat |
E-mail Infiltration (Phishing) |
|
25539 |
APT29 Threat Group Campaign Malware Download Threat - 1 |
Network Infiltration |
|
27133 |
APT29 Threat Group Campaign Malware Email Threat - 1 |
E-mail Infiltration (Phishing) |
|
52293 |
GraphicalProton Backdoor Malware Download Threat |
Network Infiltration |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address malware and vulnerabilities exploited by the APT29 group in preventive security controls. Currently, Picus Labs validated the following signatures for APT29 Group:
|
Security Control |
Signature ID |
Signature Name |
|
CheckPoint |
0B6090696 |
UDS:DangerousObject.Multi.Generic.TC.3a78qZlV |
|
CheckPoint |
0FFC1CE32 |
Trojan.Win32.CozyDuke.TC.fe0eimrU |
|
CheckPoint |
0CB0935C7 |
TS_Dropper.Win32.CozyDuke.TC.c219pcxF |
|
CheckPoint |
0C611B34C |
Trojan.Win32.Generic.TC.fb3fvPnA |
|
CheckPoint |
0E6F76903 |
Downloader.Win32.ICEBEAT.TC.bb30HcBx |
|
CheckPoint |
0B1C50252 |
Downloader.Win32.STATICNOISE.TC.d6b5tRmt |
|
CheckPoint |
0FBD4F59A |
Backdoor.undefined.GraphicalProton.TC.194aibLp |
|
CheckPoint |
0CD114C55 |
Backdoor.Win32.GraphicalProton.TC.5e7dpGBo |
|
CheckPoint |
0D7AD2DE8 |
Backdoor.undefined.GraphicalProton.TC.e6d0afZI |
|
CheckPoint |
0A452A9B3 |
Backdoor.Win32.GraphicalProton.TC.3847IObR |
|
CheckPoint |
0F887CFAD |
Trojan.Win32.JloRat.TC.13e5NPGA |
|
CheckPoint |
09CAEB4A3 |
Downloader.Win32.Tomiris.TC.1147qTJN |
|
CheckPoint |
098595C3A |
Generic.Win32.Generic.TC.27b4Semr |
|
CheckPoint |
0DF095355 |
Generic.Win32.Generic.TC.3f1dpToM |
|
CheckPoint |
0DD710230 |
Phishing.Win32.Malicious.TC.bb18rfmN |
|
CheckPoint |
09D11BEF1 |
Infostealer.Win32.Duke.TC.c8a5GQEX |
|
CheckPoint |
0D4060896 |
Backdoor.Win32.WineLoader.TC.9424nHPe |
|
CheckPoint |
0A1632938 |
UDS:Trojan.Win32.CozyDuke.gen.TC.8d9dkPPr |
|
CheckPoint |
0DA007E38 |
Trojan.Win32.CozyDuke.TC.ae99tzIy |
|
CheckPoint |
0FCEBCE53 |
Trojan.Win32.CozyDuke.TC.7b03kPMn |
|
CheckPoint |
0DC9B2F61 |
HEUR:Trojan.Win32.CozyDuke.gen.TC.b8d4KOcT |
|
CheckPoint |
0C8BCCC3A |
Dropper.Win32.APT29.TC.s |
|
CheckPoint |
0B85A9C04 |
Dropper.Win32.APT29.TC.cn |
|
CheckPoint |
081CE661C |
UDS:Trojan.Win32.CozyDuke.gen.TC.fa5eKtxy |
|
CheckPoint |
0AABC3668 |
UDS:DangerousObject.Multi.Generic.TC.4d77iJAf |
|
CheckPoint |
0FBD4F59A |
Backdoor.undefined.GraphicalProton.TC.194aibLp |
|
CheckPoint |
0CD114C55 |
Backdoor.Win32.GraphicalProton.TC.5e7dpGBo |
|
CheckPoint |
0D7AD2DE8 |
Backdoor.undefined.GraphicalProton.TC.e6d0afZI |
|
CheckPoint |
0A452A9B3 |
Backdoor.Win32.GraphicalProton.TC.3847IObR |
|
CheckPoint |
0BA49BF69 |
Backdoor.undefined.GraphicalProton.TC.be58Ftsr |
|
ForcePoint NGFW |
N/A |
File_Malware-Blocked |
|
Fortinet AV |
6602569 |
W32/Spy.ADY!tr |
|
Fortinet AV |
10145123 |
W64/Dukes.K!tr |
|
Fortinet AV |
10140721 |
W64/Dukes.I!tr |
|
Fortinet AV |
10147747 |
W32/Dukes.N!tr |
|
Fortinet AV |
10165121 |
W64/Dukes.RCE!tr |
|
Fortinet AV |
58991 |
W32/PossibleThreat |
|
Fortinet AV |
8233130 |
Malicious_Behavior.SB |
|
Fortinet AV |
10003530 |
PossibleThreat.FAI |
|
Fortinet AV |
7024603 |
Malware_Generic.P0 |
|
Fortinet AV |
10146717 |
PDF/Agent.BLOB!tr.dldr |
|
Fortinet AV |
10176121 |
HTML/Phish.UDC!tr |
|
Trellix |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
|
Palo Alto |
44339436 |
Trojan/Win32.fr.wi |
|
Palo Alto |
42029343 |
Trojan/Win32.cozer.ae |
|
Palo Alto |
597771822 |
trojan/Win32.dukes.h |
|
Palo Alto |
595074318 |
trojan/Win32.tedy.boj |
|
Palo Alto |
595913958 |
Virus/Win32.highconfidence.az |
|
Palo Alto |
620305872 |
Trojan/Win32.vaporrage.j |
|
Palo Alto |
437070660 |
trojan/Win32 EXE.vilsel.ajusb |
|
Palo Alto |
353612592 |
Trojan/Win32.sorefang.a |
|
Palo Alto |
328980909 |
trojan/Win32 EXE.artemis.ahzn |
|
Palo Alto |
582175074 |
Virus/Win32.WGeneric.dyooab |
|
Palo Alto |
634886022 |
Virus/Win32.phish.hzda |
|
Palo Alto |
620305872 |
Trojan/Win32.vaporrage.j |
|
Palo Alto |
620517549 |
Trojan/Win32.vaporrage.k |
|
Palo Alto |
620304432 |
Trojan/Win32.vaporrage.i |
|
Palo Alto |
620271918 |
Trojan/Win32.vaporrage.g |
|
Snort |
1.53658.1 |
MALWARE-OTHER Cobalt Strike x64 executable download attempt |
|
Snort |
1.18682.15 |
FILE-PDF transfer of a PDF with OpenAction object attempt |
|
Cisco FirePower |
N/A |
Win.Dropper.Cozer::in01 |
|
Cisco FirePower |
1.53205.2 |
INDICATOR-OBFUSCATION Win.Dropper.Vivin download attempt |
|
Cisco FirePower |
W32.C37C109171-95.SBX.TG |
|
|
Cisco FirePower |
Auto.EBE231.262551.in02 |
|
|
Cisco FirePower |
W32.620D2BF14F.in12.Talos |
|
|
Cisco FirePower |
W32.773F010272-95.SBX.TG |
|
|
Cisco FirePower |
Win64:Mal.26nn.in14.Talos |
|
|
Cisco FirePower |
W32.TR:Trojan.27fh.1201 |
|
|
Cisco FirePower |
Auto.4C7D0E.262139.in02 |
|
|
Cisco FirePower |
W32.Auto:8199f30947.in03.Talos |
|
|
Cisco FirePower |
Downloader:GenericKD-tpd |
|
|
Cisco FirePower |
1.55203.1 |
MALWARE-OTHER Win.Trojan.SoreFang malicious executable download attempt |
|
Cisco FirePower |
1.18682.15 |
FILE-PDF transfer of a PDF with OpenAction object attempt |
|
Cisco FirePower |
Auto.DA72F2.271661.in02 |
|
|
Cisco FirePower |
W32.C37C109171-95.SBX.TG |
|
|
Cisco FirePower |
Auto.EBE231.262551.in02 |
|
|
Cisco FirePower |
W32.620D2BF14F.in12.Talos |
|
|
Cisco FirePower |
W32.773F010272-95.SBX.TG |
|
|
TrendMicro |
24932 |
HTTP: Suspicious Javascript Obfuscation |
|
TrendMicro |
3232 |
HTTP: RFC 2397 Data URL Scheme Policy |
|
TrendMicro |
13460 |
HTTP: PDF Containing /Type/EmbeddedFile |
[1] M. T. Intelligence, “Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files,” Microsoft Security Blog, Oct. 29, 2024. Available: https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/. [Accessed: Nov. 01, 2024]
[2] “Amazon identified internet domains abused by APT29,” Amazon Web Services, Oct. 24, 2024. Available: https://aws.amazon.com/blogs/security/amazon-identified-internet-domains-abused-by-apt29/. [Accessed: Nov. 01, 2024]
[3] “CERT-UA,” cert.gov.ua. Available: https://cert.gov.ua/. [Accessed: Nov. 01, 2024]