Blog

Midnight Blizzard Strikes Again: New Tactics in Large-Scale Spear-Phishing Campaign Using RDP Files

Image Courtesy of CERT-UA

The Government Emergency Response Team of Ukraine (CERT-UA) and Microsoft have issued alerts concerning an advanced spear-phishing campaign conducted by the threat actor Midnight Blizzard. The campaign targets public authorities, critical industries, and military organizations with emails themed around “integration with Amazon and Microsoft services” and “Zero Trust Architecture (ZTA).” The emails contain malicious RDP (Remote Desktop Protocol) configuration files that establish unauthorized RDP connections to attacker-controlled infrastructure.

Attack Methodology:

The attackers embed .rdp configuration files in their emails, which establish outbound connections to their servers upon execution. Key elements of this approach include:

  • Local Resource Access: These RDP files allow attackers access to local resources such as disks, network resources, printers, COM ports, audio devices, and the clipboard.
  • Potential Code Execution: CERT-UA reports that these files could allow the installation of third-party scripts or programs on the victim’s machine, enabling further malware deployment.
  • Impersonation of AWS Domains: Attackers use look-alike domains that mimic legitimate AWS infrastructure, such as awsplatform.online and us-west-1.aws-ukraine.cloud, to evade detection. This strategy aims to exploit trust in widely recognized cloud service providers.

Cyber Threat Indicators (IOCs):

CERT-UA provides the following indicators for identifying Midnight Blizzard’s campaign, tracked under identifier UAC-0215:

File Hashes:

  • SHA-256 Hashes:
    • a5de73d69c1a7fbae2e71b98d48fe9b5, 34c88cd591f73bc47a1a0fe2a4f594f628be98ad2366eeb4e467595115d8505a: Zero Trust Architecture
    • 8bcb741a204c25232a11a7084aa221f, 071276e907f185d9e341d549b198e60741e2c7f8d64dd2ca2c5d88d50b2c6ffc: ZTSilice Device
    • Additional hashes cover files with names like AWS IAM Compliance Check, Device Security Request, and Zero Trust Security Environment.

Network Domains:

The following AWS look-alike and other impersonation domains are part of the attacker infrastructure:

  • central-1.awsplatform.online, ca-west-1.mfa-gov.cloud, eu-central-1.mfa-gov.cloud
  • us-west-1.amazona.ua-energy.cloud, us-east-console.awsplatform.online
  • AWS & Zero Trust-related domains: aws-meetings.cloud, aws-data.cloud, zero-trust.solutions
  • Government-themed domains to mislead users:
    • gov-au.cloud, gov-ua.cloud, gov-fi.cloud, govtr.cloud

IP Addresses:

A selection of IPs linked to Midnight Blizzard’s infrastructure includes:

  • Email servers: 37.153.155.143, 45.42.142.49, 199.204.86.87, 104.247.120.157
  • Attack servers: 38.180.110.238, 185.76.79.178, 95.156.207.121, 23.160.56.100

Key Vulnerabilities and Risks:

  1. Email Security Gaps: .rdp files often bypass email security filters, making this an effective technique to reach users without detection.
  2. RDP’s Trusted Status: As a legitimate remote work tool, RDP's widespread use helps these attacks blend into everyday operations.
  3. Domain Impersonation: The use of AWS-look-alike domains highlights the need for domain vigilance to detect fuzzy, misleading domains designed to exploit trust.

Mitigation Recommendations:

  1. Filter .rdp Attachments at Email Gateways: Configure filters to detect and block .rdp files, especially those from unfamiliar sources.
  2. User Awareness Training: Educate users on recognizing suspicious domains and the risks associated with opening unexpected RDP files.
  3. Restrict RDP Execution and Outbound Connections: Limit RDP use to essential personnel and block connections to unapproved external IPs.
  4. Network Policy Enhancements: Set up group policies to prevent redirection of resources via RDP and limit the establishment of external RDP connections.
  5. Continuous Network Monitoring: Review logs for unusual RDP activity, especially on TCP port 3389, and track interactions with suspicious IPs and domains.
  6. Enable Multi-Factor Authentication (MFA): Enforce MFA for all RDP sessions to add another layer of security in case credentials are compromised.

Conclusion:

Midnight Blizzard’s campaign demonstrates the increased sophistication of phishing tactics, leveraging trusted protocols and familiar domains. Organizations should incorporate these specific indicators into their defenses, apply robust filtering, and educate staff on recognizing impersonation tactics to mitigate the risk of this evolving threat.