Detailed threat description:
Spear-phishing emails were sent to thousands of targets at over 100 organizations in late October 2024. The Russian threat actor Midnight Blizzard sends emails containing malicious remote desktop protocol files to connect to and access files stored on the target’s network.
As the victim opens the”.RDP” file, their device connects to an attacker-controlled RDP server where a configuration file maps local resources. The mapping allows attackers to manipulate local resources and harvest credentials for further exploitation. Bad actors may also use this access to place malicious files in AutoStart folders and install remote access trojans (RATs) for persistent access.
This foreign threat actor is known as APT29, Cozy Bear, Midnight Blizzard, NOBELIUM, and a dozen other names.
This campaign’s victims include both government and non-government agencies, and CISA recommends following the proactive mitigation strategies listed in the recommendations section.
Impacts on healthcare organizations:
Patient safety and care delivery may be jeopardized without access to life-saving technology.
A network attack will remove access to technology and deter the ability to care for patients effectively.
Recommendations
Engineering recommendations:
- Scrutinize and restrict outbound RDP connections
- Prohibit the transmission of RDP files through email clients and webmail services to prevent accidental execution of malicious RDP configurations
- Implement controls to block the execution of RDP files by users
- Enable multi-factor authentication wherever feasible to secure remote access
- Avoid using SMS-based MFA due to its vulnerability to SIM-jacking attacks
- Deploy phishing-resistant authentication methods, such as FIDO tokens, to safeguard against attacks
- Utilize indicators of compromise (IoCs) and known tactics, techniques, and procedures (TTPs) collected in previous attacks to search for malicious activity within the network
Leadership/ Program recommendations:
- Establish Conditional Access Authentication Strength policies to enforce the use of phishing-resistant authentication methods
- Implement endpoint detection and response (EDR) solutions to monitor and respond to suspicious activities within the network continuously
- In addition to EDR, evaluate the deployment of anti-phishing and antivirus solutions to strengthen defenses against emerging threats
- Implement a robust user education program that highlights how to identify and report phishing emails and other suspicious activities
- Provide users with simple tips to avoid phishing
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Centre for Cybersecurity Belgium: https://atwork.safeonweb.be/recent-news-tips-and-warning/warning-government-themed-phishing-rdp-attachments
- CISA’s alert: https://www.cisa.gov/news-events/alerts/2024/10/31/foreign-threat-actor-conducting-large-scale-spear-phishing-campaign-rdp-attachments
- Microsoft Threat Intelligence: https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files
