Microsoft tracked a foreign threat actor called Midnight Blizzard (also known as APT29, Cozy Bear). It is performing a spear phishing campaign attacking companies in several sectors, such as academia, government, defense, information technology, non-governmental organizations (NGOs), and other industries.
Allegedly, Midnight Blizzard is a Russian state-sponsored hacking group that performs cyberattacks to show support for Foreign Intelligence Service (SVR) of Russia. The group is identified to employ varied strategies in its espionage operations which include bespoke malware and tools available to the public like Cobalt Strike and Mimikatz.
Its current campaign, which started on October 22, 2024, has included sending spear-phishing emails to people in over 100 companies worldwide. The threat actor behaves as a reliable entity like Amazon Web Services (AWS) and Microsoft and delivers email messages and an attached remote desktop protocol (RDP) file with signature. The linked RDP setup file creates a link with a server controlled by Midnight Blizzard.
As per Microsoft, with the setup link, the threat actor can get resources like clipboard contents, logical hard disks, linked peripheral devices, printers, audio, and authentication functions and services of the Windows operating system, which includes smart cards. The threat actor can utilize the connection to deploy malware on the victims’ mapped network shares and local drives, making sure of continual access even after the RDP session is finished.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory concerning the group after getting several reports about spear phishing attacks and has proposed the following mitigations:
1. Restrict outbound RDP connections,
2. Block RDP connections in communication tools like email clients and webmail services
3. Implement controls to block RDP files by users
4. Deploy endpoint detection software program
5. Provide HIPAA security awareness training to the employees
6. Activate multifactor authentication (MFA) to put an additional layer of protection to remote access, and preferably use phishing-resistant MFA because SMS based-MFA is prone to SIM-jacking and phishing attacks.