In the latest Midnight Blizzard attack campaign, victims received highly targeted emails that used social engineering lures relating to Microsoft, Amazon Web Services, and the concept of Zero Trust.
All emails contained a RDP configuration file, signed with a free LetsEncrypt certificate, that included several sensitive settings. When a user opened the file, an RDP connection would be established to an attacker-controlled system.
The configuration of the established RDP connection would then allow the threat actor to collect information about the targeted system, such as files and folders, connected network drives, peripherals including printers, microphones, and smart cards.
The outbound RDP connections were established to domains created to trick the target into believing they were AWS domains. Amazon, working with the Ukrainian CERT-UA on fighti...
Collection
[
|
...
]