Author: Vivek Doshi, Principal Product Manager, Xage Security
The nation state-backed group known as Midnight Blizzard is conducting a large-scale, sophisticated phishing campaign that utilizes Remote Desktop Protocol (RDP) files in a novel way to infiltrate critical government and defense systems for intelligence-gathering purposes.
Spear-phishing, the method employed in this campaign, is a highly targeted type of phishing attack focused on specific individuals or organizations. Attackers gather personal information about their targets from social media, professional networks, and public records to create convincing, tailored messages. These messages often impersonate trusted sources, such as colleagues, supervisors, or well-known service providers, increasing the likelihood of recipient interaction with the content.
Microsoft was the first to identify this campaign, observing that Midnight Blizzard is primarily targeting governments, non-governmental organizations (NGOs), academic institutions, and defense-related organizations. These entities are often repositories of sensitive information, and by gaining access, Midnight Blizzard aims to extract valuable data for intelligence purposes. The campaign has been active since late October. Attackers aim to exploit organizational trust to compromise systems and gain long-term access to critical data.
How RDP Files Are Used in Spear-Phishing Campaigns
The recent spear-phishing campaign orchestrated by Midnight Blizzard targeted thousands of individuals across more than 100 organizations. This approach marks a shift from the group’s typical highly selective targeting, indicating an attempt to broaden its reach and increase the chances of system compromise. The phishing emails included RDP configuration files as attachments – an unusual method for Midnight Blizzard, who has not previously used RDP files as an initial access vector.
If a victim executes one of these RDP configuration files, an RDP connection is established to a server controlled by Midnight Blizzard. Microsoft researchers found that these configuration files were crafted to allow extensive exposure of the victim’s data and system settings.
On the attack, Microsoft stated:
“Once connected, the compromised system establishes a bidirectional link with the attacker-controlled server, allowing the threat actors to access and map the targeted user’s local resources directly to their server. These mapped resources may include sensitive data such as logical hard drives, clipboard contents, local files and directories, printers, peripheral devices, audio inputs, and security elements like Windows authentication facilities, including smart cards.
This level of access provides the attackers with significant opportunities to install malicious software on the victim’s device. They can add malware or place remote access trojans (RATs) in critical locations such as AutoStart folders, enabling persistent access even after the RDP session ends. Additionally, this connection may expose user credentials, creating further vulnerabilities.”
By capturing authentication details, attackers could potentially access additional systems, expanding their foothold in the targeted network for continued data gathering and surveillance.
How Xage Security Safeguards Organizations Against RDP-Based Attacks and Mitigates Threats
RDP is known to be vulnerable to attacks, which is why it is typically secured within internal networks using VPNs, firewalls, and network segmentation. However, recent attacks have shown that even internal RDP access is susceptible to compromise when attackers use spear-phishing emails with RDP file payloads.
Xage recommends that customers fully block direct RDP access to and from their network perimeter to mitigate the risk of RDP-based attacks, opting instead to use a proxy for accessing devices that require RDP connections. Xage’s proxy architecture converts traditional RDP sessions into secure HTTPS connections, providing session termination and protocol break. With Xage, users log in to a Xage node through a browser which then establishes an RDP session to the workstation or device.
Additionally, Xage’s RDP application-only access feature allows administrators to specify which applications users can access when connecting via RDP, preventing them from launching any other programs on the remote machine. This helps restrict users and in this case threat actors from reaching other sensitive data or resources on the target machine. Xage provides this functionality through a secure web browser eliminating the need to download RDP executable files which can be used by malicious actors.
With the support of Xage Enforcement Points, administrators can effectively prevent or limit outbound RDP connection attempts to public networks, adding a critical layer of security. It also enables administrators to restrict access attempts to other devices within the network, significantly reducing the risk of lateral movement by potential attackers. By segmenting the network and controlling these connection pathways, Xage helps contain any compromised session, preventing unauthorized access from spreading across the network and enhancing overall system resilience against threats.
Additionally, Xage strengthens device security by making unauthorized access significantly more difficult. The platform supports multiple layers of multi-factor authentication (MFA), adding extra security during login. Administrators can customize MFA requirements based on the criticality of resources or applications, ensuring optimal security tailored to each asset’s importance.
As threat actors become increasingly sophisticated, new types of attacks like this will continue to emerge in various forms. It is crucial for organizations not only to implement mitigation strategies but also to adopt a comprehensive zero-trust approach to protect their critical assets.
Learn more about Xage Zero Trust Access and Protection.