Microsoft: Midnight Blizzard conducts large-scale spear-phishing campaign using RDP ...

Not Simon the Goat /

npub1cet…clln

2024-10-29 19:23:06

Microsoft: Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files
Since 22 October 2024, Microsoft Threat Intelligence observed Russian APT29 (tracked as Midnight Blizzard) sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. Microsoft assesses that the goal of this operation is likely intelligence collection.

The spear-phishing emails in this campaign were sent to thousands of targets in over 100 organizations and contained a signed Remote Desktop Protocol (RDP) configuration file that connected to an actor-controlled server. In some of the lures, the actor attempted to add credibility to their malicious messages by impersonating Microsoft employees. The threat actor also referenced other cloud providers in the phishing lures.

Microsoft describes the spearphishing campaign, RDP connection, and email infrastructure. Hunting queries and indicators of compromise provided. APT29, aka Cozy Bear and NOBELIUM, is publicly attributed to Russian Foreign Intelligence Service (SVR).

#russia #apt29 #svr #cozybear #midnightblizzard #IOC #threatintel #infosec #cybersecurity #cyberthreatintelligence #CTI

Author Public Key

npub1cetfz9z5qtn3lly58p3t4hmxxqhy0vml22z5g8rve3vjesg5gzxs6mclln

Show more details

Published at

2024-10-29 19:23:06

Kind type

1 Short Text Note

Event JSON

{ "id": "8a0953a3105b9cfeaba38774b4aaccd5fc30b6458cb2d27684040b175ea26157", "pubkey": "c65691145402e71ffc943862badf66302e47b37f5285441c6ccc592cc114408d", "created_at": 1730229786, "kind": 1, "tags": [ [ "t", "russia" ], [ "t", "apt29" ], [ "t", "svr" ], [ "t", "cozybear" ], [ "t", "midnightblizzard" ], [ "t", "ioc" ], [ "t", "threatintel" ], [ "t", "infosec" ], [ "t", "cybersecurity" ], [ "t", "cyberthreatintelligence" ], [ "t", "cti" ], [ "proxy", "https://infosec.exchange/users/screaminggoat/statuses/113392339277029431", "activitypub" ] ], "content": "Microsoft: Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files\nSince 22 October 2024, Microsoft Threat Intelligence observed Russian APT29 (tracked as Midnight Blizzard) sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. Microsoft assesses that the goal of this operation is likely intelligence collection. \n\nThe spear-phishing emails in this campaign were sent to thousands of targets in over 100 organizations and contained a signed Remote Desktop Protocol (RDP) configuration file that connected to an actor-controlled server. In some of the lures, the actor attempted to add credibility to their malicious messages by impersonating Microsoft employees. The threat actor also referenced other cloud providers in the phishing lures.\n\nMicrosoft describes the spearphishing campaign, RDP connection, and email infrastructure. Hunting queries and indicators of compromise provided. APT29, aka Cozy Bear and NOBELIUM, is publicly attributed to Russian Foreign Intelligence Service (SVR).\n\n#russia #apt29 #svr #cozybear #midnightblizzard #IOC #threatintel #infosec #cybersecurity #cyberthreatintelligence #CTI", "sig": "fe54af4bcd9b9af340a2cfaf84696e6c3cb306f38e5a3d7b898b2d7aff0a8f7d0c1d0d9facd2858aa3549fbd424778fc6de547ec380c8dba8ef4f4b73a408aae" }