This post is also available in:
עברית (Hebrew)
‘Cozy Bear’, a notorious Russian threat actor, has initiated a sophisticated malicious campaign that has impacted over 100 organizations across critical sectors, according to a recent Microsoft repot. Active since October 22nd, this campaign employs phishing emails designed to manipulate users in order to gain access and compromise their systems.
The scale of the operation is concerning, with more than a thousand users receiving phishing emails that leverage familiar names, including Microsoft and Amazon Web Services (AWS), along with concepts like Zero Trust to enhance credibility. Cozy Bear has also gone a step further by impersonating Microsoft employees, increasing the likelihood of successful phishing attempts.
The primary tactic involves enticing victims to open a signed RDP configuration file that establishes a connection to a server the hackers controlled. This file contains sensitive settings that, once activated, could expose critical information. Microsoft’s Threat Intelligence team noted, “The use of a signed RDP configuration file to gain access to the targets’ devices represents a novel access vector for this actor.” This highlights the evolving methods employed by Cozy Bear to infiltrate systems.
Once a target’s system is compromised, it connects bidirectionally to the attacker’s server, mapping local device resources—including hard disks, clipboard contents, printers, and other peripheral devices. This level of access allows attackers to install additional malware in order to ensure they maintain control even after the initial RDP session is closed.
Cozy Bear, also known as APT29 or Midnight Blizzard, is a notorious threat actor attributed to Russia’s Foreign Intelligence Service (SVR). This group typically focuses on intelligence collection, targeting government agencies, diplomatic entities, NGOs, and IT service providers, particularly in the United States and Europe. The ongoing campaign appears aimed at gathering intelligence.
In response to this campaign, Microsoft recommends implementing robust security measures, including firewalls, multi-factor authentication, and enhanced endpoint security protocols, to mitigate the risks posed by these advanced threats. The need for vigilance is clear, as Cozy Bear continues to adapt and evolve its tactics.
