216.73.217.22

Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files

· Published 30/10/2024 22:04 · Modified 30/10/2024 23:08

Export JSON

Essential information

Published
30/10/2024 22:04
Modified
30/10/2024 23:08
Tags
2024-10-30 apt29 backdoor campaign cozy bear hustlecon midnight blizzard phishing rdp remote desktop russia unc2452
Related entities
200 observables, 1 intrusion sets (apt), 5 techniques (mitre), 1 malware

Description

On October 22, 2024, Microsoft identified a spear- in which sent emails to thousands of users in over 100 organizations. The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of Zero Trust. The emails contained a Protocol () configuration file signed with a LetsEncrypt certificate. configuration (.) files summarize automatic settings and resource mappings that are established when a successful connection to an server occurs.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (200)

  • us-west-2.ua-sec.cloud
  • us-west-2.ua-energy.cloud
  • us-west-2.gov-ua.cloud
  • us-west-2-aws.ua-energy.cloud
  • us-west-2-aws.s3-ua.cloud
  • us-west-2-aws.mfa-gov.cloud
  • us-west-1.ukrtelecom.cloud
  • us-west-1.ua-gov.cloud
  • us-west-1.ua-energy.cloud
  • us-west-1.aws-ukraine.cloud
  • us-west-1-aws.gov-ua.cloud
  • us-west-1-amazon.ua-sec.cloud
  • us-west-1-amazon.ua-mil.cloud
  • us-west-1-amazon.ua-energy.cloud
  • us-east-console.ua-energy.cloud
  • us-east-2.ukrainesec.cloud
  • us-east-console.aws-ukraine.cloud
  • us-east-2.ua-sec.cloud
  • us-east-2.gov-ua.cloud
  • us-east-2.aws-ukraine.cloud
  • us-east-2-aws.ukrtelecom.cloud
  • us-east-2-aws.ua-gov.cloud
  • us-east-2-aws.gov-ua.cloud
  • us-east-1-aws.ua-sec.cloud
  • us-east-1-aws.ua-gov.cloud
  • us-east-1-aws.mfa-gov.cloud
  • us-east-1-aws.s3-ua.cloud
  • eu-west-3.ukrainesec.cloud
  • eu-west-3.ukrtelecom.cloud
  • eu-west-3.s3-ua.cloud
  • eu-west-3.s3-be.cloud
  • eu-west-3.mzv-sk.cloud
  • eu-west-3.presidencia-pt.cloud
  • eu-west-3.msz-pl.cloud
  • eu-west-3.mindef-nl.cloud
  • eu-west-3.minbuza.cloud
  • eu-west-3.mil-pl.cloud
  • eu-west-3.mil-be.cloud
  • eu-west-3.aws-ukraine.cloud
  • eu-west-3.amazonsolutions.cloud
  • eu-west-3-aws.ua-mil.cloud
  • eu-west-3-aws.s3-ua.cloud
  • eu-west-3-aws.s3-be.cloud
  • eu-west-3-aws.regeringskansliet-se.cloud
  • eu-west-3-aws.quirinale.cloud
  • eu-west-3-aws.mzv-sk.cloud
  • eu-west-3-aws.msz-pl.cloud
  • eu-west-3-aws.mindef-nl.cloud
  • eu-west-3-aws.minbuza.cloud
  • eu-west-3-aws.mil-pt.cloud
  • eu-west-3-aws.mil-pl.cloud
  • eu-west-3-aws.mil-be.cloud
  • eu-west-3-aws.gov-trust.cloud
  • eu-west-3-aws.gov-sk.cloud
  • eu-west-3-aws.gov-pl.cloud
  • eu-west-3-aws.difesa-it.cloud
  • eu-west-3-aws.dep-no.cloud
  • eu-west-2-aws.ua-sec.cloud
  • eu-west-3-aws.aws-ukraine.cloud
  • eu-west-2-aws.s3-ua.cloud
  • eu-west-2-aws.s3-nato.cloud
  • eu-west-2-aws.s3-esa.cloud
  • eu-west-2-aws.s3-de.cloud
  • eu-west-2-aws.s3-be.cloud
  • eu-west-2-aws.quirinale.cloud
  • eu-west-2-aws.mzv-sk.cloud
  • eu-west-2-aws.mindef-nl.cloud
  • eu-west-2-aws.msz-pl.cloud
  • eu-west-2-aws.minbuza.cloud
  • eu-west-2-aws.mil-be.cloud
  • eu-west-2-aws.mil-pl.cloud
  • eu-west-2-aws.gv-at.cloud
  • eu-west-2-aws.gov-sk.cloud
  • eu-west-2-aws.gov-pl.cloud
  • eu-west-2-aws.difesa-it.cloud
  • eu-west-2-aws.dep-no.cloud
  • eu-west-2-aws.amazonsolutions.cloud
  • eu-west-1.ukrtelecom.cloud
  • eu-west-1.s3-ua.cloud
  • eu-west-1.ua-gov.cloud
  • eu-west-1.s3-esa.cloud
  • eu-west-1.s3-de.cloud
  • eu-west-1.mzv-sk.cloud
  • eu-west-1.regeringskansliet-se.cloud
  • eu-west-1.msz-pl.cloud
  • eu-west-1.minbuza.cloud
  • eu-west-1.mil-pl.cloud
  • eu-west-1.gov-sk.cloud
  • eu-west-1.mil-be.cloud
  • eu-west-1.difesa-it.cloud
  • eu-west-1.aws-ukraine.cloud
  • eu-west-1-aws.ukrainesec.cloud
  • eu-west-1-aws.ua-sec.cloud
  • eu-west-1-aws.s3-nato.cloud
  • eu-west-1-aws.s3-esa.cloud
  • eu-west-1-aws.s3-de.cloud
  • eu-west-1-aws.s3-be.cloud
  • eu-west-1-aws.quirinale.cloud
  • eu-west-1-aws.mil-pl.cloud
  • eu-west-1-aws.minbuza.cloud
  • eu-west-1-aws.mil-be.cloud
  • eu-west-1-aws.gov-ua.cloud
  • eu-west-1-aws.gov-trust.cloud
  • eu-west-1-aws.gov-sk.cloud
  • eu-west-1-aws.gov-pl.cloud
  • eu-west-1-aws.aws-ukraine.cloud
  • eu-west-1-aws.dep-no.cloud
  • eu-west-1-aws.amazonsolutions.cloud
  • eu-southeast-1-aws.ukrainesec.cloud
  • eu-southeast-1-aws.ua-energy.cloud
  • eu-southeast-1-aws.s3-ua.cloud
  • eu-southeast-1-aws.s3-esa.cloud
  • eu-southeast-1-aws.s3-de.cloud
  • eu-southeast-1-aws.s3-be.cloud
  • eu-southeast-1-aws.quirinale.cloud
  • eu-southeast-1-aws.mzv-sk.cloud
  • eu-southeast-1-aws.mzv-cz.cloud
  • eu-southeast-1-aws.msz-pl.cloud
  • eu-southeast-1-aws.mindef-nl.cloud
  • eu-southeast-1-aws.mil-be.cloud
  • eu-southeast-1-aws.mil-pl.cloud
  • eu-southeast-1-aws.gov-trust.cloud
  • eu-southeast-1-aws.gov-sk.cloud
  • eu-southeast-1-aws.difesa-it.cloud
  • eu-southeast-1-aws.amazonsolutions.cloud
  • eu-southeast-1-aws.dep-no.cloud
  • eu-southeast-1-aws.aws-ukraine.cloud
  • eu-south-2.ukrainesec.cloud
  • eu-south-2.ua-sec.cloud
  • eu-south-2.s3-nato.cloud
  • eu-south-2.s3-de.cloud
  • eu-south-2.s3-esa.cloud
  • eu-south-2.s3-be.cloud
  • eu-south-2.mindef-nl.cloud
  • eu-south-2.mil-be.cloud
  • eu-south-2.mil-pl.cloud
  • eu-south-2.gov-pl.cloud
  • eu-south-2.gov-sk.cloud
  • eu-south-2.dep-no.cloud
  • eu-south-2-aws.s3-ua.cloud
  • eu-south-2-aws.ua-gov.cloud
  • eu-south-2-aws.s3-nato.cloud
  • eu-south-2-aws.s3-esa.cloud
  • eu-south-2-aws.s3-de.cloud
  • eu-south-2-aws.s3-be.cloud
  • eu-south-2-aws.quirinale.cloud
  • eu-south-2-aws.regeringskansliet-se.cloud
  • eu-south-2-aws.ncfta.cloud
  • eu-south-2-aws.mzv-sk.cloud
  • eu-south-2-aws.msz-pl.cloud
  • eu-south-2-aws.minbuza.cloud
  • eu-south-2-aws.mil-be.cloud
  • eu-south-2-aws.mil-pt.cloud
  • eu-south-2-aws.mil-pl.cloud
  • eu-south-2-aws.gov-sk.cloud
  • eu-south-2-aws.mfa-gov.cloud
  • eu-south-2-aws.gov-pl.cloud
  • eu-south-2-aws.dep-no.cloud
  • eu-south-2-aws.amazonsolutions.cloud
  • eu-south-1-aws.ua-gov.cloud
  • eu-south-1-aws.s3-de.cloud
  • eu-south-1-aws.s3-be.cloud
  • eu-south-1-aws.quirinale.cloud
  • eu-south-1-aws.mzv-sk.cloud
  • eu-south-1-aws.minbuza.cloud
  • eu-south-1-aws.mil-be.cloud
  • eu-south-1-aws.mfa-gov.cloud
  • eu-south-1-aws.gov-trust.cloud
  • eu-south-1-aws.gov-pl.cloud
  • eu-south-1-aws.difesa-it.cloud
  • eu-south-1-aws.dep-no.cloud
  • eu-south-1-aws.admin-ch.cloud
  • eu-north-1.s3-ua.cloud
  • eu-north-1.s3-de.cloud
  • eu-north-1.s3-be.cloud
  • eu-north-1.regeringskansliet-se.cloud
  • eu-north-1.ncfta.cloud
  • eu-north-1.mil-pl.cloud
  • eu-north-1.mzv-sk.cloud
  • eu-north-1.mil-be.cloud
  • eu-north-1.gv-at.cloud
  • eu-north-1.gov-ua.cloud
  • eu-north-1.gov-trust.cloud
  • eu-north-1.difesa-it.cloud
  • eu-north-1-aws.ua-gov.cloud
  • eu-north-1-aws.ua-energy.cloud
  • eu-north-1-aws.s3-de.cloud
  • eu-north-1-aws.s3-be.cloud
  • eu-north-1-aws.regeringskansliet-se.cloud
  • eu-north-1-aws.quirinale.cloud
  • eu-north-1-aws.presidencia-pt.cloud
  • eu-north-1-aws.minbuza.cloud
  • eu-north-1-aws.ncfta.cloud
  • eu-north-1-aws.mil-pl.cloud
  • eu-north-1-aws.mil-be.cloud
  • eu-north-1-aws.gov-sk.cloud
  • eu-north-1-aws.gov-pl.cloud
  • eu-north-1-aws.dep-no.cloud
  • eu-north-1-aws.difesa-it.cloud
  • eu-east-1-aws.ukrtelecom.cloud

Intrusion sets (APT) (1)

Techniques (MITRE) (5)

Malware (1)

  • HustleCon
    Family
    Published 30/10/2024 22:04 · Modified 30/10/2024 22:04

External references