Microsoft Threat Intelligence analysts have issued a warning about a sophisticated cyberattack orchestrated by the Russian group known as Cozy Bear or Midnight Blizzard. This malicious campaign is specifically aimed at over 100 organizations across vital industries. The Midnight Blizzard attackers employ meticulously designed emails to deceive users into opening a Remote Desktop Protocol (RDP) configuration file, which can result in significant security breaches.
In a detailed report, Microsoft identified Midnight Blizzard’s steady and relentless focus in its operational tactics, with its goals remaining largely consistent. The group employs different types of initial access techniques, such as spear-phishing, exploiting stolen credentials, supply chain intrusions, and breaching on-premises environments to facilitate lateral movement to cloud systems. They also exploit the trust relationships of service providers to infiltrate their clients. Notably, Midnight Blizzard utilizes malware targeting Active Directory Federation Services (AD FS), specifically known as FOGGYWEB and MAGICWEB. Security experts recognize this group by several names, including APT29, UNC2452, and Cozy Bear.
Microsoft highlighted the recent spear-phishing attack by Midnight Blizzard.
On October 22, 2024, Microsoft detected a spear-phishing initiative orchestrated by Midnight Blizzard, which involved sending deceptive emails to thousands of individuals across more than 100 organizations. These emails were highly tailored, employing social engineering tactics related to Microsoft, Amazon Web Services (AWS), and the concept of Zero Trust. Included in the emails was a Remote Desktop Protocol (RDP) configuration file that was signed with a LetsEncrypt certificate. These RDP configuration files (.RDP) define the automatic settings and resource mappings that are activated when establishing a connection to an RDP server, effectively extending the capabilities of a local system to a remote server controlled by the attackers.
Top cybertech leaders shared their insights with our media team, highlighting the flaws and gaps in the current Security Operations framework across the globe. The panel of leaders include:
- Balazs Greksza, Threat Response Lead at Ontinue
- Stephen Kowski, Field CTO at Pleasanton, Calif.-based SlashNext Email Security+
- Venky Raju, Field CTO at ColorTokens
- Patrick Harr, CEO at Pleasanton, Calif.-based SlashNext Email Security+
Here’s what the leaders said.
Focus on Securing Inbound and Outbound RDP Connections with Firewalls
Balazs Greksza, Threat Response Lead at Ontinue
Midnight Blizzard has a long history of using sophisticated spear phishing and watering-hole techniques to lure key personnel for intelligence collection. This time, the thematic is about Security/Device/AWS/Zero Trust configurations, however, this may change relatively rapidly.
Defenders can block the “.rdp” file extensions on the email gateways and limiting the ability for normal users to run any “.rdp” files will provide good countermeasures against this specific threat. Administrators can also take advantage of Group Policy Objects (GPO) policies by disabling Device and Resource Redirection in the Remote Desktop Services configurations.
Furthermore, network controls, through firewalls, can help to disable inbound and outbound RDP connections – which is a good security practice in general. We have seen the misuse of this in the past and this will provide sufficient protection against an attack, while monitoring where the controls intervened can help spot and educate users.
Enhancing Email Security: The Need for Advanced AI-Powered Detection in Organizations
Stephen Kowski, Field CTO at Pleasanton, Calif.-based SlashNext Email Security+
Security teams should implement real-time scanning of all email attachments and links, particularly focusing on RDP configuration files and other seemingly legitimate Microsoft-related content. Organizations must strengthen their email security with advanced AI-powered detection that can identify sophisticated impersonation attempts and social engineering tactics, especially those mimicking trusted entities like Microsoft employees.
These attacks will likely intensify as we approach Election Day, as threat actors often capitalize on heightened periods of public interest and institutional activity to maximize their success rates. The targeting of critical sectors and the sophisticated nature of these campaigns suggests a coordinated effort to gather intelligence and potentially disrupt key infrastructure.
Beyond traditional security measures, organizations need advanced phishing protection that can detect and block these spearphishing messages with malicious content in real-time, before users have a chance to interact with it. The sophistication of these attacks, particularly the use of signed RDP files, demonstrates the need for security solutions that can analyze attachments at a deep technical level while maintaining business productivity.
Urgent Advisory: Microsoft Recommends Using Host Firewall to Restrict Outbound RDP Access
Venky Raju, Field CTO at ColorTokens
This ingenious attack reinforces the need to maintain tight control over Microsoft’s remote desktop protocol. Sharing devices, folders, and the clipboard over an RDP session is handy for system administrators and users. But, as this attack illustrates, this powerful capability also gives attackers an easy way to access sensitive information or drop malicious code onto the user’s machine.
Microsoft’s advice on using the host firewall to restrict outbound RDP access is spot on and must be urgently heeded. This can be achieved using GPO policies or adopting a host-based micro-segmentation solution to restrict outbound RDP access.
Use Preventive Techniques to Thwart Phishing Attacks
Patrick Harr, CEO at Pleasanton, Calif.-based SlashNext Email Security+
This attack once again highlights that phishing continues to be the most dangerous threat to your organization. This is why companies must not only continuously train their users, must also employ AI detection and phishing sandboxes for malicious links and files directly in their email, collaboration, and messaging apps. These new sophisticated attacks, many of them AI-generated, evade current secure email gateways (SEGs) and even Microsoft Defender for Office. The only way organizations can defend themselves is by using AI to prevent these attacks before successful breaches.
Conclusion
Microsoft’s observations indicate that the ongoing campaign by Midnight Blizzard is primarily aimed at agencies and institutions across various countries, notably the UK, Europe, Australia, and Japan. Microsoft Threat Intelligence recommends preventive measures that include strengthening operating environment configurations, endpoint security, and anti-virus configurations. In short, CISOs and SecOps teams must work on tighter frameworks. Midnight Blizzard’s spear-phishing attack underscores the critical need for organizations to bolster their email security measures against much-advanced AI-based sophisticated threats.
Cyber Technology Insights: ExtraHop Report Reveals Data Breach Costs Exceed Industry Estimates
To share your insights, please write to us at news@intentamplify.com
