The Russian state hackers of Midnight Blizzard keep everyone busy. This time, Microsoft is warning of an aggressive phishing campaign believed to have been orchestrated by the same collective. It uses Remote Desktop Protocol (RDP) configuration files in emails sent to governments, educational institutions, NGOs, and defense entities in Europe.
The attack has reportedly been ongoing since October 22. It is a spear-phishing campaign in which intended victims receive a very convincing message with details about their accounts, the company they work for, or personal information. In other words, adding such details makes the mail appear legitimate. It’s called social engineering.
Large-scale, targeted action
The emails from Midnight Blizzard contain an RDP file signed with a certificate from autenticator LetsEncrypt, to induce the target to open the file. This connects the user’s device to a server controlled by the attackers. These can then browse local system resources to their heart’s content.
In its own blog post, Microsoft explains that by including malicious configurations in the RDP files, the attackers can gain access to files, clipboard content, drives, printers and even authentication tools such as smart cards, when present on the victim’s device.
Full access
Such bidirectional mapping means that the attacker can exploit anything accessible from the local system. Installing malware is obviously possible, on both local disks and network shares. Also, remote access trojans (RATs) allow the connection to remain open even when the RDP session is closed. What is particularly precarious is that the RDP connection might expose the user’s login credentials to the attackers.
The name spear-phishing suggests that only a few individuals are the target as opposed to ‘regular’ phishing which usually casts a large net, entangling whoever gets caught). But that is not necessarily so. One spear-phishing campaign can affect dozens, hundreds or, as in this case, thousands of individuals. The scope does tend to be smaller than regular phishing, which can affect many more individuals with the same message.
Digital spy unit
Midnight Blizzard, also known as APT29 or Cozy Bear, is more of a semi-formal spy unit rather than a hacker collective. The group has been active at least since 2018 and often targets western government agencies and NGOs for stealing sensitive data. For example, the group managed to gain access to both Microsoft and the U.S. government.
The disinformation campaign targeting Ukrainian recruits we wrote about yesterday is also believed to originate from Midnight Blizzard. That action did involve a ‘widely cast net’ instead of these hackers’ usually more targeted actions.
Also read: AWS and Alphabet entities in action against Russian malware campaign