Midnight Blizzard: Spear-Phishing Campaign Using RDP Files

Threat actor group “Midnight Blizzard” has been recently observed targeting several industries and sectors in a new highly sophisticated spear-phishing campaign that contains a signed Remote Desktop Protocol (RDP) configuration file. This operation targets individuals in government and non-governmental organizations across over 100 entities.

Midnight Blizzard, linked to Russia’s Foreign Intelligence Service (SVR), has a history of espionage activities dating back to 2018, focusing primarily on intelligence collection. The group has previously used similar phishing campaigns, however its only recent they have shifted tactics to increase compromise and data exfiltration. By opening the RDP attachment in the email, a connection is established between the victim and the threat actor’s system. This exposes to the attacker sensitive information about the victim’s system, peripherals, files, and more.

Recommendations

• Enhancing email security by implementing strong email policies and blocking RDP attachments
• Implementing multifactor authentication (MFA) and phishing resistant authentication methods as FIDO passkeys
• Customers using Microsoft Office365 are encouraged to enable “Safe Links”, “Safe Attachments” and “Zero-hour auto purge” for Office 365.
• Configure firewalls to restrict or block outbound RDP connections to external or public networks
• Configure alerts for suspicious RDP network activity, malicious RDP files via signature
• Implement strong Conditional Access authentication strength that requires phishing-resistant authentication for critical apps
• Implement strong Group Policy settings to restrict unauthorised resource redirection during RDP sessions. Additionally, disable specific malicious extensions from running via Software Restriction Policy .
• Lastly, robust user training is recommended against social engineering campaigns.