APT29 Spearphishing Campaign Targets Thousands with RDP Files

Security

Microsoft has warned of an ongoing infostealing campaign from notorious Russian APT group Midnight Blizzard (aka APT29, CozyBear) in which thousands of targets were sent spear phishing emails.

Over 100 organizations in government, academia, defense, non-governmental organizations (NGOs) and other sectors have been impacted so far by this state-backed intelligence-gathering exercise, Redmond claimed in a blog post yesterday.

Unusually, the emails themselves – which impersonate Microsoft employees and other cloud providers – contain a signed RDP configuration file which connects to a threat actor server.

“In this campaign, the malicious .RDP attachment contained several sensitive settings that would lead to significant information exposure. Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user’s local device’s resources to the server,” Microsoft explained.

“Resources sent to the server may include, but are not limited to, all logical hard disks, clipboard contents, printers, connected peripheral devices, audio, and authentication features and facilities of the Windows operating system, including smart cards. This access could enable the threat actor to install malware on the target’s local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access trojans (RATs) to maintain access when the RDP session is closed.”

Read more on APT29: Russia’s APT29 Targets Embassies With Ngrok and WinRAR Exploit

By establishing an RDP connection to the actor-controlled server, victims may also expose their own credentials, the report warned.

Although targets have been discovered in dozens of countries, those in the UK, Europe, Australia and Japan are particularly at risk, Microsoft said. There is also an overlap of tactics seen and reported by Amazon and the Ukrainian CERT under the UAC-0215 designation.

Microsoft outlined a lengthy list of mitigations focused on strengthening:

  • Operating environment configurations
  • Endpoint security configurations
  • Antivirus configurations
  • Microsoft Office 365 configurations
  • Email security configurations
  • User education

Products You May Like

Articles You May Like

Security Pros Positive About GenAI in Cyber, Despite Raising Attack Severity
Wanted Russian Hacker Linked to Hive and LockBit Ransomware Arrested
Protecting Tomorrow’s World: Shaping the Cyber-Physical Future
Cyber-Attacks Could Impact Romanian Presidential Race, Officials Claim
AI-Powered Fake News Campaign Targets Western Support for Ukraine and U.S. Elections

Leave a Reply

Your email address will not be published. Required fields are marked *