- CES 2025: These 9 best mobile accessories have impressed us the most
- I tested the OnePlus 13 for several weeks - it may give the Galaxy S25 Ultra a run for its money
- CyTwist Launches Advanced Security Solution to identify AI-Driven Cyber Threats in minutes
- I saw Samsung's stretchable Micro LED display at CES - and it made my mind run amok
- I tried Lenovo's new rollable laptop at CES, and its a Windows PC I'd splurge for
APT29 Spearphishing Campaign Targets Thousands with RDP Files
Microsoft has warned of an ongoing infostealing campaign from notorious Russian APT group Midnight Blizzard (aka APT29, CozyBear) in which thousands of targets were sent spear phishing emails.
Over 100 organizations in government, academia, defense, non-governmental organizations (NGOs) and other sectors have been impacted so far by this state-backed intelligence-gathering exercise, Redmond claimed in a blog post yesterday.
Unusually, the emails themselves – which impersonate Microsoft employees and other cloud providers – contain a signed RDP configuration file which connects to a threat actor server.
“In this campaign, the malicious .RDP attachment contained several sensitive settings that would lead to significant information exposure. Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user’s local device’s resources to the server,” Microsoft explained.
“Resources sent to the server may include, but are not limited to, all logical hard disks, clipboard contents, printers, connected peripheral devices, audio, and authentication features and facilities of the Windows operating system, including smart cards. This access could enable the threat actor to install malware on the target’s local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access trojans (RATs) to maintain access when the RDP session is closed.”
Read more on APT29: Russia’s APT29 Targets Embassies With Ngrok and WinRAR Exploit
By establishing an RDP connection to the actor-controlled server, victims may also expose their own credentials, the report warned.
Although targets have been discovered in dozens of countries, those in the UK, Europe, Australia and Japan are particularly at risk, Microsoft said. There is also an overlap of tactics seen and reported by Amazon and the Ukrainian CERT under the UAC-0215 designation.
Microsoft outlined a lengthy list of mitigations focused on strengthening:
- Operating environment configurations
- Endpoint security configurations
- Antivirus configurations
- Microsoft Office 365 configurations
- Email security configurations
- User education
