The Russian intelligence-linked threat group “Midnight Blizzard” has recently launched a large-scale cyber attack, drawing significant attention from the cybersecurity community due to the broad scope and innovative tactics used. Microsoft reported this week that since October 22, the group has sent thousands of spear-phishing emails targeting individuals across more than 100 organizations worldwide.
In addition to the wide-ranging scope, the attack has caught attention because Midnight Blizzard used digitally signed Remote Desktop Protocol (RDP) configuration files. When victims open the attached RDP files, they connect to servers controlled by the threat actors, allowing attackers to steal user credentials and detailed system information, paving the way for further exploitation.
Microsoft noted that the spear-phishing emails used social engineering lures related to Microsoft, Amazon Web Services (AWS), and the Zero Trust concept, making them highly targeted. The attack has affected government agencies, higher education institutions, defense entities, and non-governmental organizations in dozens of countries, particularly in the UK, Europe, Australia, and Japan.
Midnight Blizzard has a long history of attacks, with past victims including SolarWinds, Microsoft, HPE, multiple U.S. federal agencies, and global diplomatic entities. Their common tactics include spear-phishing, credential theft, and supply chain attacks, often exploiting vulnerabilities in widely-used networking and collaboration technologies such as Fortinet, Pulse Secure, Citrix, and Zimbra.
Experts highlight that the signed RDP files appear to come from legitimate sources and can bypass traditional security controls, posing a significant threat. It is recommended that organizations immediately scan all email attachments, particularly RDP files and other Microsoft-related content that may appear legitimate.
Microsoft has released a list of threat indicators for Midnight Blizzard’s new activities and advised security teams to review email security settings, antivirus, and anti-phishing measures. It is also recommended to enable Safe Links and Safe Attachments in Office 365 and implement email isolation measures where necessary.
Experts urge organizations to tightly control the use of Microsoft Remote Desktop, as signed RDP configuration files may bypass email security systems’ detection and alerts. In response to such attacks, businesses should enhance endpoint security configurations, implement multi-factor authentication, and use firewalls to block suspicious RDP connections to reduce potential risks.
This article is reprinted from informationsecurity