Microsoft Adds Intelligence on Midnight Blizzard’s RDP-Based Attacks Amid Ongoing Phishing Wave

Building on previously reported intelligence regarding Russian threat actor Midnight Blizzard (aka APT29, Cozy Bear, NOBELIUM, UNC2452) and its recent use of phishing emails with RDP files, the Microsoft Threat Intelligence team reports observing related activity since October 22, 2024. Midnight Blizzard has targeted government, academic, defense, and non-governmental sectors across various countries, including the United Kingdom, Europe, Australia, and Japan. Microsoft describes the spear-phishing emails in this campaign as "highly targeted," using lures that mimic communications from Amazon, Microsoft services, and Zero Trust Architecture. "The spear-phishing emails in this campaign were sent to thousands of targets in over 100 organizations and contained a signed Remote Desktop Protocol (RDP) configuration file that connected to an actor-controlled server," according to Microsoft. Microsoft assesses that the "goal of this operation is likely intelligence collection," aimed at gathering sensitive information from the targeted organizations. These emails, sent from previously compromised legitimate email addresses, contain RDP files signed with LetsEncrypt certificates, establishing a connection between victims’ devices and Midnight Blizzard-controlled servers. CERT-UA noted that the infrastructure supporting this campaign had been in preparation since August 2024, underscoring the operation's advanced planning.

When a victim opens the malicious .RDP file, the RDP connection grants Midnight Blizzard access to the target's device via the actor-controlled server. As identified by Microsoft, this access allows threat actors to use local resources, such as logical hard drives, network-connected printers, and even point-of-sale devices, while capturing clipboard data and other information. In addition to establishing a remote session, Midnight Blizzard’s setup enables the potential installation of additional malware, including remote access trojans (RATs), in AutoStart folders on local drives or network shares, allowing persistent access even after the RDP session ends. CERT-UA and Amazon further reported that the attackers aimed to harvest Windows credentials through RDP’s resource redirection features, which could facilitate unauthorized access to sensitive internal systems and data.

This campaign is among Midnight Blizzard’s largest phishing operations to date, with thousands of targets and extensive geographic reach. In response, Microsoft, CERT-UA, and Amazon have shared indicators of compromise (IOCs) and recommended several mitigation measures, including blocking .RDP files at email gateways, restricting RDP resource redirection through group policies, and implementing firewall rules to limit RDP access from external networks. CERT-UA and Amazon additionally noted that deceptive domains mimicking AWS were used to lend credibility to the campaign, which Amazon has since seized, disrupting part of Midnight Blizzard's infrastructure.