In this episode, we're talking about a significant development in the cyber threat landscape. There has been a surge in activity from a group known as Midnight Blizzard, also known as APT29. They're a sophisticated Russian state-sponsored group, and their primary targets are governments, diplomats, NGOs, and IT service providers, mainly in the US and Europe. What's really alarming is their recent shift in tactics. They're now using malicious RDP files in their spear-phishing campaigns, which is a new approach for them. This indicates they are evolving their methods, becoming even more dangerous. RDP is commonly used in corporate environments for remote access to resources, so many organizations have it enabled and may not be blocking RDP files, making them an ideal attack vector.
Amazon identified internet domains abused by APT29 | AWS Security Blog: https://aws.amazon.com/blogs/security/amazon-identified-internet-domains-abused-by-apt29/
Foreign Threat Actor Conducting Large-Scale Spear-Phishing Campaign with RDP Attachments | CISA: https://www.cisa.gov/news-events/cybersecurity-alerts-advisories/aa24-329a
Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files _ Microsoft Security Blog.pdf: The URL for this source was not provided.
Rogue RDP – Revisiting Initial Access Methods - Black Hills Information Security: https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
Rogue RDP: Bring Your Own Server | Mike Felch | 1-Hour: https://www.youtube.com/watch?v=y1Y-t7fDwXU
Warning: Government-themed Phishing with RDP Attachments | CCB Safeonweb: https://www.safeonweb.be/en/news/warning-government-themed-phishing-rdp-attachments
Rogue RDP Attack Detection: UAC-0215 Leverages RDP Configuration Files to Gain Remote Access to Ukrainian Public Sector Computers - SOC Prime: https://socprime.com/blog/rogue-rdp-attack-detection-uac-0215-leverages-rdp-configuration-files-to-gain-remote-access-to-ukrainian-public-sector-computers/
Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov
Follow Spencer on social ⬇
Spencer's Links: https://go.spenceralessi.com/mylinks
Work with Us: https://securit360.com
The Cyber Threat Perspective