25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

CISA Warns of Ongoing Spear Phishing Campaign Using RDP Attachments

Posted By on Nov 4, 2024

A foreign threat actor tracked by Microsoft as Midnight Blizzard (aka APT29, Cozy Bear) is conducting a spear phishing campaign targeting organizations in multiple sectors, including government, defense, academia, non-governmental organizations (NGOs), information technology, and other sectors.

Midnight Blizzard is a suspected Russian state-sponsored hacking group that conducts attacks in support of Russia’s Foreign Intelligence Service (SVR). The group is known to use diverse tactics in its espionage operations including bespoke malware and publicly available tools such as Mimikatz and Cobalt Strike.

Its current campaign, which has been active since at least October 22, 2024, has involved thousands of spear phishing emails to individuals at more than 100 organizations worldwide. The threat actor poses as a trusted entity, including Microsoft and Amazon Web Services (AWS), and sends emails with a signed remote desktop protocol (RDP) file attachment. The attached RDP configuration file establishes a connection with a server under Midnight Blizzard’s control.

According to Microsoft, through the established connection, the threat actor can receive resources such as “logical hard disks, clipboard contents, printers, connected peripheral devices, audio, and authentication features and facilities of the Windows operating system, including smart cards.” The threat actor could use the connection to install malware onto victims’ local drives and mapped network shares, ensuring persistent access when the RDP session is closed.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about the group after receiving multiple reports of spear phishing attacks and has recommended several mitigations. These include restricting outbound RDP connections, blocking RDP connections in communication platforms such as email clients and webmail services, implementing controls to block RDP files by users, deploying endpoint detection software, providing security awareness training to the workforce, and enabling multifactor authentication (MFA) to add an extra layer of security to remote access, and ideally phishing-resistant MFA as SMS based-MFA is vulnerable to phishing and SIM-jacking attacks.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist