{ "name": "Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files", "slug": "midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files", "description": "On October 22, 2024, Microsoft identified a spear-phishing campaign in which Midnight Blizzard sent phishing emails to thousands of users in over 100 organizations. The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of Zero Trust. The emails contained a Remote Desktop Protocol (RDP) configuration file signed with a LetsEncrypt certificate. RDP configuration (.RDP) files summarize automatic settings and resource mappings that are established when a successful connection to an RDP server occurs.", "published": "2024-10-30T21:04:22+00:00", "created_at": "2024-10-30T21:04:22+00:00", "modified_at": "2024-10-30T22:08:52+00:00", "created_at_opencti": "2024-10-30T21:04:22+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-10-30", "apt29", "backdoor", "campaign", "cozy bear", "hustlecon", "midnight blizzard", "phishing", "rdp", "remote desktop", "russia", "unc2452" ], "related_entities": { "observables": [ { "id": "", "name": "us-west-2.ua-sec.cloud" }, { "id": "", "name": "us-west-2.ua-energy.cloud" }, { "id": "", "name": "us-west-2.gov-ua.cloud" }, { "id": "", "name": "us-west-2-aws.ua-energy.cloud" }, { "id": "", "name": "us-west-2-aws.s3-ua.cloud" }, { "id": "", "name": "us-west-2-aws.mfa-gov.cloud" }, { "id": "", "name": "us-west-1.ukrtelecom.cloud" }, { "id": "", "name": "us-west-1.ua-gov.cloud" }, { "id": "", "name": "us-west-1.ua-energy.cloud" }, { "id": "", "name": "us-west-1.aws-ukraine.cloud" }, { "id": "", "name": "us-west-1-aws.gov-ua.cloud" }, { "id": "", "name": "us-west-1-amazon.ua-sec.cloud" }, { "id": "", "name": "us-west-1-amazon.ua-mil.cloud" }, { "id": "", "name": "us-west-1-amazon.ua-energy.cloud" }, { "id": "", "name": "us-east-console.ua-energy.cloud" }, { "id": "", "name": "us-east-2.ukrainesec.cloud" }, { "id": "", "name": "us-east-console.aws-ukraine.cloud" }, { "id": "", "name": "us-east-2.ua-sec.cloud" }, { "id": "", "name": "us-east-2.gov-ua.cloud" }, { "id": "", "name": "us-east-2.aws-ukraine.cloud" }, { "id": "", "name": "us-east-2-aws.ukrtelecom.cloud" }, { "id": "", "name": "us-east-2-aws.ua-gov.cloud" }, { "id": "", "name": "us-east-2-aws.gov-ua.cloud" }, { "id": "", "name": "us-east-1-aws.ua-sec.cloud" }, { "id": "", "name": "us-east-1-aws.ua-gov.cloud" }, { "id": "", "name": "us-east-1-aws.mfa-gov.cloud" }, { "id": "", "name": "us-east-1-aws.s3-ua.cloud" }, { "id": "", "name": "eu-west-3.ukrainesec.cloud" }, { "id": "", "name": "eu-west-3.ukrtelecom.cloud" }, { "id": "", "name": "eu-west-3.s3-ua.cloud" }, { "id": "", "name": "eu-west-3.s3-be.cloud" }, { "id": "", "name": "eu-west-3.mzv-sk.cloud" }, { "id": "", "name": "eu-west-3.presidencia-pt.cloud" }, { "id": "", "name": "eu-west-3.msz-pl.cloud" }, { "id": "", "name": "eu-west-3.mindef-nl.cloud" }, { "id": "", "name": "eu-west-3.minbuza.cloud" }, { "id": "", "name": "eu-west-3.mil-pl.cloud" }, { "id": "", "name": "eu-west-3.mil-be.cloud" }, { "id": "", "name": "eu-west-3.aws-ukraine.cloud" }, { "id": "", "name": "eu-west-3.amazonsolutions.cloud" }, { "id": "", "name": "eu-west-3-aws.ua-mil.cloud" }, { "id": "", "name": "eu-west-3-aws.s3-ua.cloud" }, { "id": "", "name": "eu-west-3-aws.s3-be.cloud" }, { "id": "", "name": "eu-west-3-aws.regeringskansliet-se.cloud" }, { "id": "", "name": "eu-west-3-aws.quirinale.cloud" }, { "id": "", "name": "eu-west-3-aws.mzv-sk.cloud" }, { "id": "", "name": "eu-west-3-aws.msz-pl.cloud" }, { "id": "", "name": "eu-west-3-aws.mindef-nl.cloud" }, { "id": "", "name": "eu-west-3-aws.minbuza.cloud" }, { "id": "", "name": "eu-west-3-aws.mil-pt.cloud" }, { "id": "", "name": "eu-west-3-aws.mil-pl.cloud" }, { "id": "", "name": "eu-west-3-aws.mil-be.cloud" }, { "id": "", "name": "eu-west-3-aws.gov-trust.cloud" }, { "id": "", "name": "eu-west-3-aws.gov-sk.cloud" }, { "id": "", "name": "eu-west-3-aws.gov-pl.cloud" }, { "id": "", "name": "eu-west-3-aws.difesa-it.cloud" }, { "id": "", "name": "eu-west-3-aws.dep-no.cloud" }, { "id": "", "name": "eu-west-2-aws.ua-sec.cloud" }, { "id": "", "name": "eu-west-3-aws.aws-ukraine.cloud" }, { "id": "", "name": "eu-west-2-aws.s3-ua.cloud" }, { "id": "", "name": "eu-west-2-aws.s3-nato.cloud" }, { "id": "", "name": "eu-west-2-aws.s3-esa.cloud" }, { "id": "", "name": "eu-west-2-aws.s3-de.cloud" }, { "id": "", "name": "eu-west-2-aws.s3-be.cloud" }, { "id": "", "name": "eu-west-2-aws.quirinale.cloud" }, { "id": "", "name": "eu-west-2-aws.mzv-sk.cloud" }, { "id": "", "name": "eu-west-2-aws.mindef-nl.cloud" }, { "id": "", "name": "eu-west-2-aws.msz-pl.cloud" }, { "id": "", "name": "eu-west-2-aws.minbuza.cloud" }, { "id": "", "name": "eu-west-2-aws.mil-be.cloud" }, { "id": "", "name": "eu-west-2-aws.mil-pl.cloud" }, { "id": "", "name": "eu-west-2-aws.gv-at.cloud" }, { "id": "", "name": "eu-west-2-aws.gov-sk.cloud" }, { "id": "", "name": "eu-west-2-aws.gov-pl.cloud" }, { "id": "", "name": "eu-west-2-aws.difesa-it.cloud" }, { "id": "", "name": "eu-west-2-aws.dep-no.cloud" }, { "id": "", "name": "eu-west-2-aws.amazonsolutions.cloud" }, { "id": "", "name": "eu-west-1.ukrtelecom.cloud" }, { "id": "", "name": "eu-west-1.s3-ua.cloud" }, { "id": "", "name": "eu-west-1.ua-gov.cloud" }, { "id": "", "name": "eu-west-1.s3-esa.cloud" }, { "id": "", "name": "eu-west-1.s3-de.cloud" }, { "id": "", "name": "eu-west-1.mzv-sk.cloud" }, { "id": "", "name": "eu-west-1.regeringskansliet-se.cloud" }, { "id": "", "name": "eu-west-1.msz-pl.cloud" }, { "id": "", "name": "eu-west-1.minbuza.cloud" }, { "id": "", "name": "eu-west-1.mil-pl.cloud" }, { "id": "", "name": "eu-west-1.gov-sk.cloud" }, { "id": "", "name": "eu-west-1.mil-be.cloud" }, { "id": "", "name": "eu-west-1.difesa-it.cloud" }, { "id": "", "name": "eu-west-1.aws-ukraine.cloud" }, { "id": "", "name": "eu-west-1-aws.ukrainesec.cloud" }, { "id": "", "name": "eu-west-1-aws.ua-sec.cloud" }, { "id": "", "name": "eu-west-1-aws.s3-nato.cloud" }, { "id": "", "name": "eu-west-1-aws.s3-esa.cloud" }, { "id": "", "name": "eu-west-1-aws.s3-de.cloud" }, { "id": "", "name": "eu-west-1-aws.s3-be.cloud" }, { "id": "", "name": "eu-west-1-aws.quirinale.cloud" }, { "id": "", "name": "eu-west-1-aws.mil-pl.cloud" }, { "id": "", "name": "eu-west-1-aws.minbuza.cloud" }, { "id": "", "name": "eu-west-1-aws.mil-be.cloud" }, { "id": "", "name": "eu-west-1-aws.gov-ua.cloud" }, { "id": "", "name": "eu-west-1-aws.gov-trust.cloud" }, { "id": "", "name": "eu-west-1-aws.gov-sk.cloud" }, { "id": "", "name": "eu-west-1-aws.gov-pl.cloud" }, { "id": "", "name": "eu-west-1-aws.aws-ukraine.cloud" }, { "id": "", "name": "eu-west-1-aws.dep-no.cloud" }, { "id": "", "name": "eu-west-1-aws.amazonsolutions.cloud" }, { "id": "", "name": "eu-southeast-1-aws.ukrainesec.cloud" }, { "id": "", "name": "eu-southeast-1-aws.ua-energy.cloud" }, { "id": "", "name": "eu-southeast-1-aws.s3-ua.cloud" }, { "id": "", "name": "eu-southeast-1-aws.s3-esa.cloud" }, { "id": "", "name": "eu-southeast-1-aws.s3-de.cloud" }, { "id": "", "name": "eu-southeast-1-aws.s3-be.cloud" }, { "id": "", "name": "eu-southeast-1-aws.quirinale.cloud" }, { "id": "", "name": "eu-southeast-1-aws.mzv-sk.cloud" }, { "id": "", "name": "eu-southeast-1-aws.mzv-cz.cloud" }, { "id": "", "name": "eu-southeast-1-aws.msz-pl.cloud" }, { "id": "", "name": "eu-southeast-1-aws.mindef-nl.cloud" }, { "id": "", "name": "eu-southeast-1-aws.mil-be.cloud" }, { "id": "", "name": "eu-southeast-1-aws.mil-pl.cloud" }, { "id": "", "name": "eu-southeast-1-aws.gov-trust.cloud" }, { "id": "", "name": "eu-southeast-1-aws.gov-sk.cloud" }, { "id": "", "name": "eu-southeast-1-aws.difesa-it.cloud" }, { "id": "", "name": "eu-southeast-1-aws.amazonsolutions.cloud" }, { "id": "", "name": "eu-southeast-1-aws.dep-no.cloud" }, { "id": "", "name": "eu-southeast-1-aws.aws-ukraine.cloud" }, { "id": "", "name": "eu-south-2.ukrainesec.cloud" }, { "id": "", "name": "eu-south-2.ua-sec.cloud" }, { "id": "", "name": "eu-south-2.s3-nato.cloud" }, { "id": "", "name": "eu-south-2.s3-de.cloud" }, { "id": "", "name": "eu-south-2.s3-esa.cloud" }, { "id": "", "name": "eu-south-2.s3-be.cloud" }, { "id": "", "name": "eu-south-2.mindef-nl.cloud" }, { "id": "", "name": "eu-south-2.mil-be.cloud" }, { "id": "", "name": "eu-south-2.mil-pl.cloud" }, { "id": "", "name": "eu-south-2.gov-pl.cloud" }, { "id": "", "name": "eu-south-2.gov-sk.cloud" }, { "id": "", "name": "eu-south-2.dep-no.cloud" }, { "id": "", "name": "eu-south-2-aws.s3-ua.cloud" }, { "id": "", "name": "eu-south-2-aws.ua-gov.cloud" }, { "id": "", "name": "eu-south-2-aws.s3-nato.cloud" }, { "id": "", "name": "eu-south-2-aws.s3-esa.cloud" }, { "id": "", "name": "eu-south-2-aws.s3-de.cloud" }, { "id": "", "name": "eu-south-2-aws.s3-be.cloud" }, { "id": "", "name": "eu-south-2-aws.quirinale.cloud" }, { "id": "", "name": "eu-south-2-aws.regeringskansliet-se.cloud" }, { "id": "", "name": "eu-south-2-aws.ncfta.cloud" }, { "id": "", "name": "eu-south-2-aws.mzv-sk.cloud" }, { "id": "", "name": "eu-south-2-aws.msz-pl.cloud" }, { "id": "", "name": "eu-south-2-aws.minbuza.cloud" }, { "id": "", "name": "eu-south-2-aws.mil-be.cloud" }, { "id": "", "name": "eu-south-2-aws.mil-pt.cloud" }, { "id": "", "name": "eu-south-2-aws.mil-pl.cloud" }, { "id": "", "name": "eu-south-2-aws.gov-sk.cloud" }, { "id": "", "name": "eu-south-2-aws.mfa-gov.cloud" }, { "id": "", "name": "eu-south-2-aws.gov-pl.cloud" }, { "id": "", "name": "eu-south-2-aws.dep-no.cloud" }, { "id": "", "name": "eu-south-2-aws.amazonsolutions.cloud" }, { "id": "", "name": "eu-south-1-aws.ua-gov.cloud" }, { "id": "", "name": "eu-south-1-aws.s3-de.cloud" }, { "id": "", "name": "eu-south-1-aws.s3-be.cloud" }, { "id": "", "name": "eu-south-1-aws.quirinale.cloud" }, { "id": "", "name": "eu-south-1-aws.mzv-sk.cloud" }, { "id": "", "name": "eu-south-1-aws.minbuza.cloud" }, { "id": "", "name": "eu-south-1-aws.mil-be.cloud" }, { "id": "", "name": "eu-south-1-aws.mfa-gov.cloud" }, { "id": "", "name": "eu-south-1-aws.gov-trust.cloud" }, { "id": "", "name": "eu-south-1-aws.gov-pl.cloud" }, { "id": "", "name": "eu-south-1-aws.difesa-it.cloud" }, { "id": "", "name": "eu-south-1-aws.dep-no.cloud" }, { "id": "", "name": "eu-south-1-aws.admin-ch.cloud" }, { "id": "", "name": "eu-north-1.s3-ua.cloud" }, { "id": "", "name": "eu-north-1.s3-de.cloud" }, { "id": "", "name": "eu-north-1.s3-be.cloud" }, { "id": "", "name": "eu-north-1.regeringskansliet-se.cloud" }, { "id": "", "name": "eu-north-1.ncfta.cloud" }, { "id": "", "name": "eu-north-1.mil-pl.cloud" }, { "id": "", "name": "eu-north-1.mzv-sk.cloud" }, { "id": "", "name": "eu-north-1.mil-be.cloud" }, { "id": "", "name": "eu-north-1.gv-at.cloud" }, { "id": "", "name": "eu-north-1.gov-ua.cloud" }, { "id": "", "name": "eu-north-1.gov-trust.cloud" }, { "id": "", "name": "eu-north-1.difesa-it.cloud" }, { "id": "", "name": "eu-north-1-aws.ua-gov.cloud" }, { "id": "", "name": "eu-north-1-aws.ua-energy.cloud" }, { "id": "", "name": "eu-north-1-aws.s3-de.cloud" }, { "id": "", "name": "eu-north-1-aws.s3-be.cloud" }, { "id": "", "name": "eu-north-1-aws.regeringskansliet-se.cloud" }, { "id": "", "name": "eu-north-1-aws.quirinale.cloud" }, { "id": "", "name": "eu-north-1-aws.presidencia-pt.cloud" }, { "id": "", "name": "eu-north-1-aws.minbuza.cloud" }, { "id": "", "name": "eu-north-1-aws.ncfta.cloud" }, { "id": "", "name": "eu-north-1-aws.mil-pl.cloud" }, { "id": "", "name": "eu-north-1-aws.mil-be.cloud" }, { "id": "", "name": "eu-north-1-aws.gov-sk.cloud" }, { "id": "", "name": "eu-north-1-aws.gov-pl.cloud" }, { "id": "", "name": "eu-north-1-aws.dep-no.cloud" }, { "id": "", "name": "eu-north-1-aws.difesa-it.cloud" }, { "id": "", "name": "eu-east-1-aws.ukrtelecom.cloud" } ], "malware": [ { "id": "legacy:malware:93db8c705a424aeb", "name": "HustleCon", "slug": "hustlecon" } ], "intrusion_sets": [ { "id": "legacy:intrusion:4361a9c99b4e2407", "name": "Midnight Blizzard", "slug": "midnight-blizzard" } ], "attack_patterns": [ { "id": "f4a450ef-8297-42e5-9e47-01162138baa2", "name": "T1115" }, { "id": "8598a502-2b24-4c8a-8ec3-45179f49e5b7", "name": "T1199" }, { "id": "fc699aef-8931-4a79-8f79-9651be9abd50", "name": "T1021" }, { "id": "743d2e0c-e5d5-4ccb-a6bd-0035c4e88c37", "name": "T1176" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" } ] }, "external_refs": [ "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/", "https://otx.alienvault.com/pulse/6722ad6624869775e01cd675" ] }