Microsoft has recently issued a warning about a large-scale spear-phishing campaign attributed to the notorious Russian state-sponsored threat actor known as Midnight Blizzard. This campaign has targeted thousands of users at more than 100 organizations in the government, defense, academia, NGO, and other sectors, likely with the goal of collecting intelligence.
Who is Midnight Blizzard?
Midnight Blizzard, also known as APT29, Cozy Bear, the Dukes, and Yttrium, is a well-known threat actor that has been targeting these types of organizations, primarily in the United States and Europe. The group is known for recent attacks targeting Microsoft systems, in which they managed to steal source code and spy on executive emails.
The Latest Campaign
According to Microsoft, the latest campaign has been targeting the United Kingdom and other European countries, as well as Australia and Japan. The attacks are ongoing, and the company has shared indicators of compromise (IoCs) to help organizations detect potential attacks.
One notable aspect of this campaign is the use of a signed RDP configuration file that connects to an attacker-controlled server. Once the target system is compromised, it connects to the actor-controlled server and exposes various resources, including local drives, clipboard contents, printers, and authentication features. This access could enable the threat actor to install malware or maintain persistent access even after the RDP session is closed.
Protecting Against Spear-Phishing Attacks
To protect against this and similar spear-phishing attacks, organizations should:
- Educate employees on the signs of spear-phishing emails, such as impersonation of legitimate entities and the presence of suspicious attachments or links.
- Implement robust email security measures, including spam filtering, attachment scanning, and domain-based message authentication.
- Keep software and systems up-to-date to address known vulnerabilities that could be exploited by the threat actors.
- Monitor network traffic and logs for any suspicious activity, such as unusual RDP connections or data exfiltration attempts.
- Regularly review and update incident response and disaster recovery plans to ensure they are prepared to handle such advanced persistent threats.
