Midnight Blizzard Taps Phishing Emails, Rogue RDP Nets

An ongoing cyber-espionage campaign by Russia's Midnight Blizzard threat group may be much larger in scope than generally assumed, targeting international entities in government, armed forces, and academic institutions, Trend Micro said in recently released research.

At its peak in October, Trend Micro researchers observed Midnight Blizzard — which they track as Earth Koshchei — hitting as many as 200 entities a day with phishing emails containing a malicious Remote Desktop Protocol (RDP) file and red-team testing tools to take control of victim systems and steal data or plant malware on them. That volume is roughly what other groups with similar capabilities to — such as Pawn Storm — typically target over multiple weeks, Trend Micro said in a report this week.

In these attacks, intended victims received tailored spear-phishing emails containing a malicious or rogue RDP configuration file that, if used, would direct the victim's system to a remote attacker-controlled system. RDP configuration files simplify and automate remote access to enterprise systems by storing settings — such as a target computer's address and connection preferences — to enable remote desktop connections.

Trend Micro found the threat actor using the open source PyRDP tool as a sort of adversart-in-the-middle proxy to redirect connection requests from victim systems to attacker-controlled domains and servers. "The attack technique is called 'rogue RDP,' which involves an RDP relay, a rogue RDP server, and a malicious RDP configuration file," the researchers explained. "A victim of this technique would give partial control of their machine to the attacker, potentially leading to data leakage and malware installation."

Careful Planning

In August, Midnight Blizzard began setting up what would eventually be more than 200 domain names to direct victims to as part of the attack chain. Trend Micro also observed the attacker using 34 rogue RDP backend servers as part of its sprawling infrastructure.

The domain names that the threat actor used suggested government and military targets in the US, Europe, Japan, Australia, and Ukraine. Intended victims included ministries of foreign affairs, academic researchers, and military entities.  "The scale of the RDP campaign was huge," Trend Micro found.

Midnight Blizzard is a cyber-espionage group that the US government has identified as working for on or behalf of Russia's foreign intelligence service. The group is tied to numerous well known breach incidents, including ones at Microsoft, SolarWinds, HPE, and multiple US federal government agencies. Its campaigns typically involve sophisticated spear-phishing emails, stolen credentials, and supply chain attacks to gain initial access to target systems. It is also known to target vulnerabilities in widely used networking and collaboration tools from vendors such as Pulse Secure Citrix, Zimbra, and Fortinet.

The group has also has a penchant for using legitimate pen testing and red-team tools to evade detection by endpoint security controls. In the current campaign. Midnight Blizzard's use of legitimate tools like RDP and PyRDP has allowed the threat actor to operate largely under the radar on compromised networks. In addition, the threat actors often have a tendency to tap resident proxy services, Tor, and VPNs as anonymization layers while it operates in stealth on compromised networks.

"Notably no malware is installed on the victim's machines per se. Instead, a malicious configuration file with dangerous settings facilitates this attack, making it a stealthier living-off-the-land operation that is likely to evade detection," according to Trend Micro's report.

The security vendor wants organizations that don't block outbound RDP connection requests to begin doing so straight away. They also recommend blocking RDP configuration files in email.