Remote Desktop Exploitation: A Deep Dive into Midnight Blizzard's RDP Phishing

[applause] Thank you. Um, so for today we will dive into a bit how Midnight Blizzard, also known as AP29 or Cozy Bear, has been using remote desktop as a way to get into um other companies and into uh government organizations. Before we start, I first want to elaborate a bit more on why I chose this topic. I feel like coming from u an offensive security background, I really enjoy probably as many of you here reading up on um a variety of TTPs used by APS. When I was researching this particular topic um at the same time there was this really nice in-depth investigation uh from an attack by NSA. I don't know if anyone has saw it. It was on the

Chinese poly techchnical university and you started reading it and the attack kind of went as follows. uh from what I can remember it was a bit a long time ago but they basically they started by hacking the edge routers of the university and then deployed custom firmware to have a man-in-the-middle position and to then inspect the traffic and redirect all uh web traffic to a custom zero day browser exploitation framework so they could serve the right users up with the right browser zero day Now, when I'm reading this, I'm like, "Okay, super interesting, but this is not something I can like just set up for my next RA team." So, that was a bummer. But then you read articles about how

AP29 is using just a stupid simple RDP file to get initial access without having any issues like being blocked on the mail gateway or getting flagged as malware or anything like this. So it's very simple yet highly effective which for me was something like aha I can use this and that's why I chose this topic um because I it was just a super interesting technique being used by these adversaries. So for the agenda, first I want to dive in a bit into who am I? U bit of my background but not too much. Then we'll immediately go into the thread profile. Who is AP29 but also what defines an AP. Then we'll talk a bit about how the

timeline of the whole engagement went. How did they uh which preparations did they do? How did they set up the environment? And then what are the options for weaponizing RDP? I'll end this session with also a quick demonstration and some um advisory on how to detect, prevent and hunt for this particular attack. So who am I? My name is Mickey Debbatz. I'm currently the lead offensive security engineer at Verra, the NDR company. I'm also a hack the box ambassador for Belgium. I teach at Belgian college and I'm also the founder of BOPS uh red team specialized company in Belgium. So the thread profile I've been telling you Midnight Blizzard AP29 all a bit the same thing but before we define who is

Midnight Blizzard why do they do what they do we have to start with what is an AP stands for advanced persistent threat why advanced it's because usually they have a full spectrum of intelligence gathering that they can rely on usually this comes handinhand with being a state sponsored group. So it's not per se that the AP is also state sponsored, but we do see a lot of APS that are state sponsored. So you do have the full capacity of um your country's intelligence operations behind you to operate and to do your engagements which normally as a red teamer you don't really have. So that's already quite a difference. They're persistent. Think about maybe if you ever got uh or

somebody tried to scam you, they call you up. They will just try to have you to download any desk or team viewer or to just do like a quick task and the moment you struggle, they will just hang up and will go on with the next one, but they won't actually put effort into you. You're not special. Unfortunately, these APS, they are persistent. They have a target and they will do everything they can to obtain their targets and to do the actions on objectives to make sure that they have what they want. Sometimes these operations last for years and they don't really care if they have to wait two years to actually get what they want.

That's okay for them. Why are there why are they a threat? Well, if you have the capabilities and you have the intent, then you become quite dangerous. Usually, they also have the funds to have these super long operations and to do this full-time. So, working full-time for very niche targets. Some uh very known examples are AP44, also known as Sandworm. It's uh a Russian AP. They're part of the military intelligence service there. Uh they are known, for example, for uh a lot of wiper malware. So I think it was in 2018 um that they deployed some wiper malware and this is what kind of made them very known. Also, Lazarus, um, allegedly North Korean, uh, known for the very,

yeah, expensive crypto heists. I think the biggest one in history of 1.5 billion US, which I think it was 20% or 25% that they were already successful in laundering. And also a funny one, uh, NSA, the equation group, um, it's also an AP actually, uh, one of their more recent campaigns allegedly was the one on the National Time Service Center in China. I don't know if anyone has read about uh the attack also a super interesting one where they basically they found an exploit in the SMS service of a foreign phone brand and they use this to basically spy on like the some managers or some high level profiles within this time service center organization and

eventually they were caught but it was an operation starting in 2022 and went on until somewhere late 2023. tree. Now, why would you attack a time service center? There's a lot of reasons. There's a lot of critical infrastructure relying on being in sync. If you ever had to debug your Kurros errors because you weren't in sync with a domain controller, you know the pain. So, imagine this on a national scale. So, there there's a variety of APS why they do what they do. It's really varies per group. It's not this one. This is not the AP I'm talking about. uh when I told at home, yeah, APS, they're like, since when are you into K-pop? But that's not

what we're going to talk about today. So, when we look at uh AP29, Cozy Bear, it's basically been attributed to the Russian foreign intelligence. How do we know this? I'll get back to that in a second, but they mainly target NATO countries, and it really varies which kind of target they have. It could be um some organization that's related to um a university. It could be a think tank. Could be an NGO. It could be basically anything. Their main goal is to obtain information and to obtain intelligence that could help Russia with anything economically uh in geopolitics on any level. If they can even get like um some patents uh from which they can have like a an edge on certain in a

certain branch in business, they will also go for it. So any organization that's linked to something that they can gather some from where they can gather intelligence and help benefit Russia. That's their goal. Now which TTPs do they use? A lot of supply chain compromise. I mean a lot. We saw a very big one. We'll get to that in a second. Some PowerShell fishing. They're big fan of big fans of fishing. And more and more cloud as well. Now from where would you maybe know a29 coh cozy bear? It started back in 2014 where they attacked several US government institutions. Uh the White House was part of this also the Democratic Party and actually around

the same time the Dutch intelligence they were working together with the US intelligence and the Dutch intelligence they may or may not have so allegedly hacked one of the cameras in the main corridor of the office of uh AP29. So if you have vision on the corridor, you also know who's walking in and out. And they were sharing this information with the US and pretty quickly to identify that this was part of Russia's foreign foreign intelligence. After they did some more attacks, they hacked Denmark's national bank uh some they targeted some CO 19 vaccine development centers. Solar Winds, small company, not a big deal, maybe rings a bell. Um, still one of the biggest supply chain attacks in

history. Um, this is how I imagine Solar Winds feels whenever you mention them because I feel like the only thing that they're still known for is being the biggest supply chain attack in history. Microsoft in 2024. Um, very interesting case because they weren't after Microsoft's data or even after Microsoft's user data. They basically hacked Microsoft to just see, hey, what do you guys know about us? They were explicitly searching for stuff that Microsoft's uh threat intelligence team had on Cozy Bear. So, a very interesting attack. Um maybe a bit too much effort. I don't know. And even a bit after that, they also hacked Team Viewer. Team Viewer came out with a statement. This was somewhere late 2024 where they

did admit that they were being hacked by um AP29. However, they did mention that it was not the production environment but more the corporate environment. So that the another solar winds was basically out of the question. Then the third UA case number 11690. What happened? So on October 22 um in 2024, the Microsoft threat intelligence team, they saw that there was a massive fishing campaign going on and they quickly attributed this to Midnight Blizzard or Cozy Bear and it was a a high volume spear fishing campaign. They were seen sending over 1,000 fishing emails to people in over a 100 organizations. So governments, academia, think tanks, NGO, but even private sector companies, they first had to prepare this whole

attack. So they were registering domains, setting up their infrastructure, and just getting ready just a couple of months before they actually launched this attack. The fishing itself, it was um quite nice crafted fishing campaign. they had like um they were more relying on being Microsoft or pretending to be AWS and really using the zero trust hype saying like hey to be in order to comply with zero trust and to have a zero trust environment you just have to do this quick step uh have to connect to this RDP server and that's it we'll d we'll dive a bit more into their uh lure in a second then the RDP files so this fishing campaign these fishing mails they had

one attachment RDP files and why is this brilliant basically on if you look at the most modern mail gateways that are used they do not blockr RDP files they still don't you can now look up Microsoft look up what are the default like the attachments that are blocked by default you won't find RDP in there and then they were using this RDP connection to basically mount the file system of the user. And once you have access to the file system, there's a lot you can do. We'll see that later in the presentation. But one of the things you can do is deploy malware. So no fancy zero day technique, just a stupid RDP file mapping your file system

and some scheduled task. Trent Micro also did a lot of investigation on this whole attack and they identified the pattern uh that was used to register domains. So here we can see starting from the beginning of August up until the 20th of October. So a bit late if you want to start fishing on the 22nd but we don't judge. And you can see that they were quite yeah um relatively prepared. So starting from August they were averaging 10 domains a day and even back in September it was 13 domains a day that they were registering these domains they were located in Australia, Ukraine, Estonia. Again in this list what you will find is a lot of

NATO member countries which completely fits with the yeah methodology of how AP29 operates. If you look at the domain names that they registered, what kind of impersonation they were trying to do, maybe try to identify the targets again, NOS's and think tanks, military, IT, but even telecom and some private sector as well. So again, perfectly fitting in the whole approach of AP29. I'll give you guys a second to read the fishing email. Um, no, I'll uh I have a translation as well. Basically, what it comes down to is that uh this is only one of the campaigns that they used, but they were pretending to be Microsoft and AWS saying like, "Hey, this zero trust

thing, we really need to get this configured uh ASAP. So, we have attached your zero trust configuration profile checker. Just doubleclick connect and it will do everything for you." Um, that's what it boils down to. A very interesting thing with this fishing campaign is that they have used AI, but they have used AI in a very special way. Basically, they end the fishing email with saying, "By the way, if you have any concerns, if this is not something is not working, if something's weird, we're monitoring this with Amazon Q Business." This is an official AI product that Amazon offers, but basically they're saying the they're telling the user like if anything goes wrong, don't tell anybody. The AI will

fix it. Like we will know because of AI. So it's a very interesting use of AI. I feel like a lot of users, they're warming up to AI. They're using it in a variety of products. So they are starting to know that AI can handle certain tasks. So to see it like being used in a way like this where you're telling the user like hey don't worry if something go go goes wrong don't reach out to anyone AI will fix it and we will know it actually is not that bad of an idea the RDP itself so we have a lot going on even if it's a single file so you will download a file you can see it here and

it will just look like a regular dp file they were using remote applications. So when you would double click you wouldn't get the whole virtual session but you will just get a single application that is running on a remote uh server but you as a user would not know. If you look at the warning we get when connecting, you could see that your drives, your clipboard, basically everything that can be mounted to the remote server will be mounted. Would the user see this? Probably not. Why? Because as you can see here, this is something you have to explicitly like show. So, if you not click on show details, you would never know that all of this is being shared with the remote

desktop server. I'm a bit in the way, but as you can see here on the left side, they were for example impersonating Ukrainian government. So, they had to register the domain uv.cloud. And even on the other side, you can see that they had a valid certificate. So these RDP files they were being signed with a let's encrypt it uh let's encrypt certificate to have a bit more uh reputation. So what are the different ways we can weaponize RDP? Well the most popular one right now is PRDP. What is PRDP? PI RDP is basically an open source tool that will give you a man in the middle position with an RDP server. So the way it works is normally

with a regular RDP setup, you would have a client and an RDP server. You connect and you can then send mouse movements, you can send commands and you're you have a whole virtual interface uh in which you can connect uh in which you can control basically the remote server. What PDP does, it's a Python tool that you can run on a Linux server or on a Linux machine. You can place it in the middle It will listen to anything coming from the client and forward this to uh the remote server. Now what is the beauty of PIDP? It offers certain capabilities. It offers clipboard monitoring. You can crawl the file system. You can uh see even what the

user has been doing. You can uh record the whole session and replay it afterwards. And you can even do certificate cloning. And the most important one actually credential synch. So the the if you have been wondering okay nice attack you make the user connect with an RDP server but how do you get the right credentials to the user because when I want to remote desktop to any server or any host you have to enter valid credentials and this is the most powerful feature that pdp offers it doesn't matter what kind of credentials that you enter and the normally with modern RDP setups you only have to enter credentials because we have NLA enforced. So if you uh disable

this feature, it will try to as with anything in Windows authenticate on its own and if we can just yeah allow anything then immediately without prompting for credentials you are connected to this remote desktop server and that's the beauty of it all. You don't need to get valid credentials to the users. The user can just doubleclick enjoy and they're connected. The way they had this infrastructure set up also mapped out pretty nicely by um trend micro is they would use uh abundance of anomiz anonymization. So tour VPN proxy servers to connect with the 34 RDP backend servers that they had. So I've already been telling you these were thousands of emails that they were sending to people in over 100 of

organizations. So you need to have quite the infrastructure. So we had we were using 34 RDP backend servers and they had 193 um proxy servers. I think the amount of domains they had registered was about 200. Um so they were pretty well prepared. So in this case um to go back to the um previous image that would mean you had on the RDP server edge you had 34 servers um available and 193 different proxy servers to relay everything you're doing now. Okay. So what you can RDP that's fine right? Um well it depends if you share your file system what are the opportunities you have as an attacker. First of all the clipboard it's nice.

Maybe they have their passwords already um copy pasted uh like copied because they were expecting to enter this can be interesting. The file crawling super interesting. You might find um some interesting credential material on the hosts. But the file system mapping is the most important one for this whole attack because once you have the file system mapped, what can you do? You can deploy a link file on the victim's desktop. That could be nice. It's not very intrusive. You're it's not that wow. It's a link file. So you can also you can mess with the icon. There's a lot of things you can do to make it like more appeal uh more appealable to the user.

It's very easy to do. Um, and it blends in. It depends. Uh, I'm a bit of a freak when it comes to my desktop. There. Nothing touches my desktop. But I've seen some other desktops where for sure you would not see this link file. You can then create a shortcut to activate the the link file. Um, the only disadvantage here is mainly that this is not active until you reboot the machine. So, you do have a delayed execution, which I mean can be worth it. you just have to wait a bit longer and you do need the user to actually use the shortcut to activate the link file or you have to hope they manually double

click the link file but this could be a bit trickier so either otherwise you would have to wait until they actually use the shortcut the startup folder very interesting as well so you would just copy something from your RDP server to the file system that was mounted to the start folder of any user it's very easy to just create a PowerShell script that will go over all the user folders and try to put something in every user start f start folder. It's reliable. You have a very reliable execution. Next startup you will immediately get a connection. You don't need any interaction. You're not waiting for the user to do anything except for yeah rebooting. But normally

eventually they will do this. The problem with this is that a lot of EDRs these days do easily flag something coming up in your start folder. So that might be an issue. We have sideloading. Um, also very interesting, you place a DLL in a location that you will know that a program will use it and then you just have to wait for the user to use the application. The application will call the will load the DL. Your payloads being executed very stealthy, bypasses uh certain constraints such as uh application whitelisting if they have app locker or um WDAC configured. Very nice to have a side loading in this case. The problem is, let's say, um, you

go for the sideloading approach. I can tell you there's no such thing that's more frustrating than when you have your team's side loads, payloads ready to use and then you're on the host system and you find out that they're using WebEx. That's terrible. So, you do need to have actually certainty that they're using the the application that you want to target for your sideloading. App domain injection also a nice one. um very stealthy also bypasses application whitelisting. This is basically the sideloading version uh that you have in net applications. It's a bit more complex and again you want to target something that you know that they for sure will have on their system. Some honorable mentions. So data

excfiltration again this file crawling that's running in the background is super interesting because you will get a lot of configuration files that might have passwords. Maybe the user has a passwords xlsx on his desktop. Uh there might be very valuable information coming from your data excfiltration and there were in the past also some rce techniques coming from remote desktop. Now the whole thing that we've been mentioning maybe you're like hey this sounds familiar. Well it was published a while ago by um black hills information security. They did a very nice write up on how it works. Um their process in going setting it going through the setup and uh why they wanted Yeah, you why

they wanted to use RDP for initial access. So then you're thinking maybe yeah but you said an AP they should be advanced. Well sometimes it's the simple things that work. A very interesting thing uh if you look at the whole RDP being used first by Black Hills information security and then by an AP lot of APS are also actively monitoring what's going on in the red team pentesting space and they might even use techniques from what they see in blog posts from trainings and these kind of things. It's it works both ways as a red team you're also going to steal some techniques that an AP uses and they do the same. So that doesn't make a

difference. Um it seems like fair play. I feel like the the whole thing that you should like wonder or that you should ask yourself in the whole because this is a whole debate, right? Um do we need to keep publishing writeups on these kind of things? Because for example, if let's say Black Hills information security wouldn't have published their blog post on RDP being used for initial access, maybe they wouldn't have used this. maybe a29 they would have never figured out how to use RDP for um mounting the file the file system and then deploying malware but I mean I'm not here to um fire up this whole infosc debate that's been going on for years

but I just want if if this is something that bothers you that you're looking at and then you're thinking like ase damn red teamers why do they have to share all this tradecraft would you rather that you know how this works and you know how you can defend against it or would you rather that you don't even know that this isn't like something that exists uh RDP man in the middle kind of attack? I feel like the ladder is much more worse if you think about it. [snorts] So yeah, I have a demo. Um I have it both on video and live. So we pray to the live gods uh to the live demo gods.

If that doesn't work, I'll have to fall back to um the video.

So it should be nice.

So on the right side I will have my uh pyrodp man in the middle listening. And here on the left side I have my uh my victim machine. So I have this RDP profile that I sent to my client. Um it's not signed. I'm uh too poor to afford the code signing certificates. So uh I don't have the funds that an AP has unfortunately. But you can see that I also have some some files in my downloads folder. Um and I have a clean startup folder as well. So normally I don't have anything to worry about and then it's as simple as just opening this uh profile. Now you do get like this banner u that are you sure you want

to establish this remote connection. The thing is this is not an abnormal banner. Um you don't get this from mark of the web or anything else. Even if let's say to an internal host you would connect for the first time you could get a banner like this. So this doesn't basically this doesn't necessarily say anything. You could go for the show details like I mentioned but no user is going to do that. Why would you want to show things that you don't understand anyways? So you just press connect. Now a lot of stuff is happening here. Um in this case I placed um a small distraction. So of course we want to know if your AWS storage is correctly

configured. So please do wait until it has done um its all of its checks and you can see on the right side that the whole file system is being crawled and downloaded to the RDP server. Now let's say I was a prepared user. I wanted to I know a bit how it works how to remote do to to another machine. So I knew that I might had to get my password ready. So I copy paste I copy paste I copy it to my clipboard. And you could see here the clipboard is also being monitored and the attacker would also have my password. So at this point, I'm not sure why I'm doing this. I will close this because

I've been doing it for way too long. 40%. So this stops. And if we would check the file system, you can see on the evil RDP server, we have the whole file system. um a lot of anti- ransomware from elastic. It doesn't have everything now because I aborted it uh a bit quickly. But you can see it doesn't take long for the malware to appear in my startup folder. So that's how easy it is. Even if I wouldn't have waited until 40%, the moment you connect, you can easily configure a scheduled task that runs when you log in. And when you log in, it's just as easy as copy this file to this directory. you have your file

system mapped. So you just parse all users to their startup folder and see if you can write something to their startup folder. That's how easy it is.

So of course you don't want this to happen to you. Now, the odds of you being targeted tomorrow by APT29 are quite low. I wouldn't say maybe unlikely, but quite low. So, don't uh lose any sleep on this. But what you can do, you can block RDP files on your mail gateway. Um just a simple thing to do. I normally you don't expect your users to be uh receiving RDP files in their inbox. You can also block users that shouldn't usually don't come into contact with a remote desktop server to just block RDP files for them. Even better, you can um use the Windows host firewall to not allow MSDSC, so the RDP process to make any connections to the

internet. Maybe you are using in uh you maybe you are using RDP, but usually you're only RDPing to um other service in your network. So you can just say this process shouldn't make contact to the internet. Even better is to use GPO to your advantage and don't allow users to share things like their clipboard, their file system with remote desktop servers. And of course if they steal credentials, I mean you should have MFA in place. Uh even yeah um conditional access policies also a nice um query to hunt. Um if you're really going to lose sleep over this then you can be um a bit yeah have a bit of peace of mind to know

that you didn't get any mails with RDP attachments from a Russian military intelligence group. Um so and even if you see something in from this query maybe it was just it like it could have actually been it. Now detect um this is also something interesting to um to investigate. So there are a few things that you can actually do to detect this uh when it's going on. First of all um yeah if you work at an NDR company the first thing you're going to do is just launch the attack against your NDR product. And one of the early signs was smash and grab detection. I don't know if there's any better name for it, but the fact that

you're connecting to a site that you've never seen before and suddenly you're um uploading more data than you're receiving could be quite a suspicious behavioral thing. So that's already you can see here um data normally sent nothing and suddenly I'm sending uh 207 megabytes and it's not here yet. uh it's not in this screenshot but I think it was even like 25% of the data downloaded uh the data downloaded was 25% of the data sent so that's already something quite suspicious another interesting avenue is the um JA 3 and 4 who knows what JA 3 and 4 is some enthusiasts so whenever you set up a connection um you will probably use an encrypted channel even RDP P this is done over

when you connect with RDP this is done over an encrypted channel using TLS. Now what is JA3 and uh JA4 you basically can fingerprint every TLS connection. So me as a user I will have a specific set of ciphers that I use and some other actions that I do when I connect over TLS but the server will do the same and this match of your behavior and which ciphers you accept and which ciphers you offer can be fingerprinted. J4 goes a bit more in depth but basically this SSL finger fingerprinting is a technique that's being used more and more to identify some services and um it might be a bit small but of course when I

connect to an legitimate Windows server the TLS stack will be different uh compared to that of yeah the Python SSL library. So just purely this you can already check and see that something weird is going on. So in the left side here I have my connection to PI RDP and on the right side I have my connection to the actual RDP server and you can see yeah maybe you cannot see but you will have to find out later in the slides that these hashes of the fingerprints are um are different and another very interesting one um I actually wasn't really aware of this in the past but if you perform some decryption um you can actually find out

that in the packets that you sent to the RDP server is also your um your keyboard layout. And this is something that's very tricky to get right. So let's say you're a Russian AP and you want to send something to we saw the targets Australia, Ukraine, um like every NATO member country, you cannot set up an infrastructure that mimics every keyboard layout. And maybe you even just don't think about this and you will leave your keyboard layout um in just the I don't know what the standard Russian keyboard is but the default one. What you can see is if you perform some decryption um it's the field highlighted in blue you can find in your decrypted RDP

packets the code that's yeah maps to a certain keyboard layout. So let's say that one of your users is um connecting to a server and suddenly instead of using the normal Belgian keyboard layouts, they're using um some yeah cerillic alphabet keyboard layouts. That might be a strong indicator that something is wrong. Um that's all. Um I hope it was interesting. Um I have also the QR code. Before I end this talk, uh I really want to give a shout out to the cert the Ukrainian C. They this is only this was only one attack that they encountered. Um like a few weeks ago there was a conference dedicated to nation statecraft where everything was TLP red

so I cannot talk too much about it but they have been bombarded with one attack after the other and only to just only to cover this attack and to see where have we been hit. Did they deploy malware? I feel like that would be the normal socks nightmare already and this is just one of many. So, big shout out to those guys and also for the write-ups that they made on the attack and uh yeah, I hope you guys enjoyed the talk. [applause] >> Awesome. Uh we have two minutes for questions. So, does anyone have any questions? >> Yes. Uh you were talking about that they had RDP files that were signed. Uh you said

it costs a lot of money. Is it is it not a less encrypted type certificate? >> Um it it it really depends like you can get a code signing certificate for um like €80. So it's not super expensive. Usually they won't play fair and pay for their code signing certificate even and they will use something that was leaked or they found during a previous hack. Um, it's not super expensive, but it's just too expensive for a talk. That's what it comes down to. >> Uh, one more question. No, we're good. Okay, perfect. Well, thank you so much and