Analysis Summary

Microsoft issued a warning on a massive spear-phishing campaign by Russia-affiliated APT29 (also known as Midnight Blizzard, SVR group, BlueBravo, Cozy Bear, Nobelium, Midnight Blizzard, and The Dukes), which aims to obtain intelligence by targeting 1,000+ people across 100+ businesses.

The breach of the Democratic National Committee and the wave of attacks targeting the 2016 US Presidential Elections were carried out by the APT29 group and the APT28 cyber-espionage outfit. The group gained notoriety in 2020 for the SolarWinds supply chain attack, which affected over 18,000 client companies, including Microsoft. The recent campaign, which is still going strong, has already targeted organizations from a variety of industries, including academics, government, defense, non-governmental organizations, and others. The victims are in Japan, Australia, Europe, and the United Kingdom.

Microsoft discovered a spear-phishing effort on October 22, 2024, in which APT29 sent phishing emails to thousands of people across more than 100 companies. Utilizing social engineering lures associated with Microsoft, Amazon Web Services (AWS), and the Zero Trust principle, the emails were extremely targeted. A Remote Desktop Protocol (RDP) configuration file signed with a LetsEncrypt certificate was included in the emails. RDP configuration (.RDP) files provide an overview of the resource mappings and automatic settings that are created when establishing a successful connection to an RDP server. These setups transfer the local system's capabilities and assets to a distant server under the actor's control.

Researchers from Microsoft noted that one of the novelties in the TTPs linked to this threat actor is the usage of a signed RDP configuration file to access the targets' machines. By automatically extending local system resources to the attacker's server through the use of RDP configuration files, the attack exposes sensitive information to the threat actor's server, including hard disks, clipboard contents, printers, and authentication capabilities like smart cards. The phishing emails in this campaign were issued by APT29 using email addresses obtained from real organizations from earlier breaches.

Impact

• Exposure of Sensitive Data
• Identity Theft
• Data Exfiltration

Indicators of Compromise

Domain Name

• ap-northeast-1-aws.s3-ua.cloud
• ca-central-1.gov-ua.cloud
• eu-central-1.mfa-gov.cloud
• eu-east-1-aws.amazonsolutions.cloud
• eu-north-1.ncfta.cloud
• eu-south-1-aws.s3-be.cloud
• eu-southeast-1-aws.gov-trust.cloud
• eu-west-1.mil-pl.cloud
• us-east-2-aws.ua-gov.cloud
• us-west-2-aws.ua-energy.cloud

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Apply the latest security patches and updates to the email server software and associated components to address any vulnerabilities that may have been exploited by APT29. Also, prioritize patching known exploited vulnerabilities and zero-days.
• Perform comprehensive security audits on the email server infrastructure to identify and address any potential weaknesses. This includes reviewing server configurations, access controls, and encryption protocols to ensure they meet industry best practices.
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Enable 2FA for user accounts on the email server to add an extra layer of security. This prevents unauthorized access even if usernames and passwords are compromised.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Implement network segmentation to isolate critical systems and sensitive data from the rest of the network. This limits the lateral movement of attackers in case of a breach and reduces the impact of potential future attacks.
• Implement a regular backup strategy for email servers and critical data. Ensure that backups are stored securely and regularly tested for data restoration.