Cyberattack via RDP files: Analysis of Midnight Blizzard activity

At the end of October, a large-scale phishing campaign organized by the pro-russian group Midnight Blizzard (APT29, Cozy Bear) was recorded. The campaign targeted government agencies, academic organizations, and the defense sector in various countries, including Ukraine, Great Britain, Australia, Europe, and Japan.  
The attack began with sending emails masquerading as official messages from Amazon, Microsoft, or other companies. The topic often focused on implementing Zero Trust architecture, which added trust to emails.  
The attackers used RDP configuration files attached to the phishing email as a payload.  
The RDP file was signed with a certificate from Let's Encrypt, a free certificate authority to bypass security measures.  
After opening the file, an RDP connection is created with the attackers' server, which provides them with access to the victim's resources and opens opportunities to install malware and steal credentials.  
Recommendations
● Prohibit or limit the ability to connect via RDP to external and public resources.  ● RDP files should not be transferred through mail clients and webmail services to prevent the accidental execution of malicious RDP configurations.  ● Implement Conditional Access Authentication Strength policies, which guarantee access to critical systems based on specific criteria, such as user identification, location, or device type.  ● Implement an EDR-class solution for continuous monitoring of endpoint activity.  
Source: https://cert.gov.ua/article/6281076 
Detailed analysis of the attack technique: https://www.picussecurity.com/resource/blog/understanding-and-mitigating-midnight-blizzards-rdp-based-spearphishing-campaign 

Section “Time to update”

Microsoft
Microsoft recently fixed 88 vulnerabilities, including 4 critical ones. It’s worth paying attention to two zero-day exploits, one actively used with a proof of concept. Important vulnerabilities include:  
● CVE-2024-43451 (CVSS 6.5) — NTLM Hash Disclosure Spoofing — Improper processing of NTLMv2 hashes due to malicious files. Facilitates hash transfer attacks for network movement. Used in phishing campaigns.  ● CVE-2024-49039 (CVSS 8.8) — Windows Task Scheduler EoP — Improper token management that allows for privilege escalation. Elevation from a low-privileged user to a medium-privileged user.  ● CVE-2024-49019 (CVSS 7.8) — AD CS Privilege Escalation — Certificate templates with broad permissions. Domain administrator access in poorly configured environments.  ● CVE-2024-43639 — Kerberos RCE — Kerberos numeric truncation fatal error. Remote code execution on domain controllers.   

Google Chrome (v130)
Google has fixed two critical security issues:  
● CVE-2024-10487: Write beyond what is allowed in WebGPU, enable RCE. ● CVE-2024-10488: Use-after-free in WebRTC, which results in arbitrary code execution.  

Mozilla (v132) 
Mozilla has fixed a total of 11 vulnerabilities in Firefox and Thunderbird, the most important of which are:  
● CVE-2024-10458: Permissions leak, causing data privacy issues.  ● CVE-2024-10459: Use-after-free causes possible system crashes.  ● CVE-2024-9680: UAF in the animation timeline, heavily used.  

Apple
In total, Apple fixed more than 70 vulnerabilities in iOS 18 & macOS Sequoia 15, the most important of which are:  
● 70 vulnerabilities were fixed, including heap corruption and file system upgrade flaws.  ● GPU ShadyShader exploit: GPU crashes due to WebGL shader code in malicious content.   

Android
Google removed 51 vulnerabilities in Android. Among them, two vulnerabilities that are already actively used by attackers for targeted attacks are the most important:  
● CVE-2024-43093 (CVSS 7.8) allows unauthorized access to critical system directories. As a result, attackers can access sensitive information or perform actions with elevated privileges. Android 12, 13, 14, and 15 are vulnerable.  ● CVE-2024-43047 (CVSS 7.8) is related to a memory management (use-after-free) bug in Qualcomm DSP components.