Microsoft took its security blog to highlight the company’s recent observations in the area of ​​cybersecurity, and according to the Redmond company, a known hacking group is now targeting US government officials in a series of email waves highly targeted spear phishing attacks.

Malicious remote connection

SEE THE GALLERY – 2 IMAGES

According to Microsoft, the hacking group consists of the Russian government-backed Midnight Blizzard bad actors who have had a presence on the internet. Microsoft’s radar since October 22, 2024. Microsoft Threat Intelligence knows Midnight Blizzard well, because the hacker group targeted Microsoft servers on January 12, 2024which ended up being compromised and Midnight Blizzard gained access to federal government email accounts, Microsoft corporate email accounts, and more.

At the time, Microsoft described these Midnight Blizzard attacks as a “a sustained and significant commitment of resources, coordination, and focus from the threat actor.“Microsoft has issued a new warning that Midnight Blizzard is sending a series of highly targeted spear phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. Microsoft writes that this activity is ongoing and the likely purpose of this operation is to gather intelligence.

When it comes to details, Microsoft is trying to thwart the spear phishing campaign by revealing what individuals may be paying attention to. According to the blog, spear phishing emails sent to thousands of targets in more than hundreds of organizations contained a “signed Remote Desktop Protocol (RDP) configuration file.” This file was used to establish a connection with the Midnight Blizzard controller server.

“In this campaign, the malicious .RDP attachment contained several sensitive settings that could lead to significant information exposure. Once the target system was compromised, it connected to the server controlled by the actor and bidirectionally mapped the resources of the targeted user’s local device to the server. Resources sent to the server may include, but are not limited to, all logical hard drives, clipboard contents, printers, attached peripherals, Windows operating system audio and authentication features and facilities, including smart cards.

This access could allow the threat actor to install malware on the target’s local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as Remote Access Trojans (RAT) to maintain access when the RDP session is closed. The process of establishing an RDP connection to the system controlled by the actor may also expose the credentials of the user connected to the target system,” warned Microsoft