Threat Research

Midnight Blizzard Launches Extensive Spear-Phishing Campaign Utilizing RDP Files | Microsoft Security Blog

Securonix

Keypoints

  • Midnight Blizzard conducted a large-scale spear-phishing campaign using RDP files to target Ukraine’s government and military cloud assets.
  • The campaign leverages AWS cloud infrastructure across many regions, reflecting broad cloud adoption by Ukraine’s government and defense entities.
  • Numerous cloud domains are associated with Ukraine’s government and military sectors, spanning multiple AWS regions.
  • Targets include government agencies, military organizations, and defense ministries relying on cloud services.
  • There is a stated focus on security and data protection within these cloud infrastructures.
  • The article provides a MITRE ATT&CK mapping of observed behaviors, covering a wide range of techniques from initial access to impact.

MITRE Techniques

  • [T1078] Initial Access – Use of valid accounts to gain access to systems. “Use of valid accounts to gain access to systems.”
  • [T1203] Execution – Exploitation of software vulnerabilities to execute malicious code. “Exploitation of software vulnerabilities to execute malicious code.”
  • [T1547] Persistence – Creating new services or modifying existing services to maintain access. “Creating new services or modifying existing services to maintain access.”
  • [T1068] Privilege Escalation – Exploiting vulnerabilities to gain higher privileges. “Exploiting vulnerabilities to gain higher privileges.”
  • [T1562] Defense Evasion – Disabling security tools to avoid detection. “Disabling security tools to avoid detection.”
  • [T1003] Credential Access – Stealing credentials from memory or storage. “Stealing credentials from memory or storage.”
  • [T1087] Discovery – Gathering information about the system and network. “Gathering information about the system and network.”
  • [T1041] Exfiltration – Transferring data out of the network. “Transferring data out of the network.”
  • [T1489] Impact – Data destruction or manipulation to disrupt operations. “Data destruction or manipulation to disrupt operations.”

Indicators of Compromise

  • [Domain] Cloud service domains tied to Ukrainian government and military cloud infrastructure – ap-northeast-1-aws.s3-ua[.]cloud, ca-central-1.gov-ua[.]cloud, and other similar domains

Read more: https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint