Microsoft has issued a warning over a recent large-scale spear-phishing campaign that has been attributed to the notorious Russian state-sponsored threat actor tracked by the company as Midnight Blizzard.
According to the tech giant, the campaign has targeted thousands of users at more than 100 organizations in the government, defense, academia, NGO and other sectors, likely with the goal of collecting intelligence.
Midnight Blizzard is also known as APT29, Cozy Bear, the Dukes, and Yttrium, and it has been known to target these types of organizations, mainly in the United States and Europe.
The threat actor is also known for recent attacks targeting Microsoft systems, in which the hackers managed to steal source code and spy on executive emails.
The latest campaign, which Microsoft has been tracking for the past week, targeted the United Kingdom and other European countries, as well as Australia and Japan. The attacks are ongoing and the company has shared indicators of compromise (IoCs) to help organizations detect potential attacks.
One new and noteworthy aspect of the campaign is that the spear-phishing emails sent out by the hackers, which sometimes impersonate Microsoft employees, contain a signed RDP configuration file that connects to an attacker-controlled server.
The RDP configuration files contain automatic settings that cause features and resources of the local system to be extended to the attacker’s server, leading to the exposure of sensitive information.
“Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user’s local device’s resources to the server,” Microsoft explained. “Resources sent to the server may include, but are not limited to, all logical hard disks, clipboard contents, printers, connected peripheral devices, audio, and authentication features and facilities of the Windows operating system, including smart cards.”
“This access could enable the threat actor to install malware on the target’s local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access trojans (RATs) to maintain access when the RDP session is closed,” the tech giant added.
AWS recently also published a blog post describing this campaign, after the cloud giant seized domains used by the threat actor to conduct attacks. Ukraine’s CERT-UA has also analyzed the campaign.
Related: Google Catches Russian APT Reusing Exploits From Spyware Merchants NSO Group, Intellexa
Related: Russian Cyberspies Targeting Cloud Infrastructure via Dormant Accounts
