- This Eufy twin-turbine robot vacuum is a steal at $350 for Black Friday
- The robot vacuum that kept my floors free of muddy paw prints this fall is $600 off
- Here's how to get the ultimate Kindle bundle for $135 this Black Friday (plus more ways to mix and match deals)
- This racecar-looking robot mower mows a gorgeous lawn and is on sale for Black Friday
- I tested the world's first thermal phone camera with a 50Hz refresh rate, and here are the results (get $75 off in this Black Friday deal)
APT29 Spearphishing Campaign Targets Thousands with RDP Files
Microsoft has warned of an ongoing infostealing campaign from notorious Russian APT group Midnight Blizzard (aka APT29, CozyBear) in which thousands of targets were sent spear phishing emails.
Over 100 organizations in government, academia, defense, non-governmental organizations (NGOs) and other sectors have been impacted so far by this state-backed intelligence-gathering exercise, Redmond claimed in a blog post yesterday.
Unusually, the emails themselves – which impersonate Microsoft employees and other cloud providers – contain a signed RDP configuration file which connects to a threat actor server.
“In this campaign, the malicious .RDP attachment contained several sensitive settings that would lead to significant information exposure. Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user’s local device’s resources to the server,” Microsoft explained.
“Resources sent to the server may include, but are not limited to, all logical hard disks, clipboard contents, printers, connected peripheral devices, audio, and authentication features and facilities of the Windows operating system, including smart cards. This access could enable the threat actor to install malware on the target’s local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access trojans (RATs) to maintain access when the RDP session is closed.”
Read more on APT29: Russia’s APT29 Targets Embassies With Ngrok and WinRAR Exploit
By establishing an RDP connection to the actor-controlled server, victims may also expose their own credentials, the report warned.
Although targets have been discovered in dozens of countries, those in the UK, Europe, Australia and Japan are particularly at risk, Microsoft said. There is also an overlap of tactics seen and reported by Amazon and the Ukrainian CERT under the UAC-0215 designation.
Microsoft outlined a lengthy list of mitigations focused on strengthening:
- Operating environment configurations
- Endpoint security configurations
- Antivirus configurations
- Microsoft Office 365 configurations
- Email security configurations
- User education
