Now on Demand: CISO Forum Virtual Summit - All Sessions Available to Watch Instantly
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

Microsoft Warns of Russian Spear-Phishing Attacks Targeting Over 100 Organizations

Microsoft says a new spear-phishing campaign by Russia’s Midnight Blizzard uses RDP files, a new vector for this threat group.

Midnight Blizzard attack

Microsoft has issued a warning over a recent large-scale spear-phishing campaign that has been attributed to the notorious Russian state-sponsored threat actor tracked by the company as Midnight Blizzard.

According to the tech giant, the campaign has targeted thousands of users at more than 100 organizations in the government, defense, academia, NGO and other sectors, likely with the goal of collecting intelligence.  

Midnight Blizzard is also known as APT29, Cozy Bear, the Dukes, and Yttrium, and it has been known to target these types of organizations, mainly in the United States and Europe. 

The threat actor is also known for recent attacks targeting Microsoft systems, in which the hackers managed to steal source code and spy on executive emails

The latest campaign, which Microsoft has been tracking for the past week, targeted the United Kingdom and other European countries, as well as Australia and Japan. The attacks are ongoing and the company has shared indicators of compromise (IoCs) to help organizations detect potential attacks. 

One new and noteworthy aspect of the campaign is that the spear-phishing emails sent out by the hackers, which sometimes impersonate Microsoft employees, contain a signed RDP configuration file that connects to an attacker-controlled server. 

The RDP configuration files contain automatic settings that cause features and resources of the local system to be extended to the attacker’s server, leading to the exposure of sensitive information. 

“Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user’s local device’s resources to the server,” Microsoft explained. “Resources sent to the server may include, but are not limited to, all logical hard disks, clipboard contents, printers, connected peripheral devices, audio, and authentication features and facilities of the Windows operating system, including smart cards.” 

Advertisement. Scroll to continue reading.

“This access could enable the threat actor to install malware on the target’s local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access trojans (RATs) to maintain access when the RDP session is closed,” the tech giant added.

AWS recently also published a blog post describing this campaign, after the cloud giant seized domains used by the threat actor to conduct attacks. Ukraine’s CERT-UA has also analyzed the campaign.  

Related: Google Catches Russian APT Reusing Exploits From Spyware Merchants NSO Group, Intellexa

Related: Russian Cyberspies Targeting Cloud Infrastructure via Dormant Accounts

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Secure enterprise browser provider Menlo Security has appointed Bill Robbins as President.

Erik Rolf has joined Booz Allen Hamilton as the Business Information Security Officer (BISO) of Commercial Sector.

Gant Redmon has joined Trustle as its new Chief Executive Officer and Board Director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.