Microsoft Threat Intelligence has discovered a new attack campaign by Russian hacker group Midnight Blizzard, targeted at thousands of users from over 100 organisations. The attack uses spear-phishing emails that contain RDP configuration files, allowing perpetrators to connect to and potentially compromise the targeted systems.
The malicious campaign targeted thousands of users from higher education, defence, non-governmental organisations, and government institutions. Dozens of nations have been impacted, mainly in the United Kingdom, Europe, Australia, and Japan, consistent with previous Midnight Blizzard phishing attacks.
In the most recent Midnight Blizzard assault campaign, victims received meticulously targeted emails including social engineering lures related to Microsoft, Amazon Web Services, and the concept of Zero Trust.
According to Microsoft Threat Intelligence, the emails were sent using email addresses from legitimate organisations obtained by the threat actor during earlier breaches. Every email included an RDP configuration file signed with a free LetsEncrypt certificate and included multiple sensitive parameters. When the user accessed the file, an RDP connection was established with an attacker-controlled system.
The threat actor could then use the established RDP connection to acquire information regarding the targeted device, such as files and folders, connected network drives, and peripherals such as printers, microphones, and smart cards.
It would also allow for the collection of clipboard data, web authentication via Windows Hello, passkeys and security keys, and even point-of-sale devices. Such a link may also enable the threat actor to install malware on the targeted device or mapped network share(s).
Outbound RDP connections were established to domains constructed to deceive the victim into thinking they were AWS domains. Amazon, which is collaborating with the Ukrainian CERT-UA to combat the threat, began grabbing affected domains immediately in order to stop operations. Meanwhile, Microsoft alerted all impacted customers who had been targeted or compromised.
