APT 29 (Midnight Blizzard) RDP Exploit Explained

In this Threat Briefing, we break down the recent, sophisticated campaign by the Russian threat actor APT 29 (also known as Midnight Blizzard) that leveraged Remote Desktop Protocol (RDP) files for initial access.

Join our talented Red Teamer, Mickey De Baets, as he explains and shows with a live demo how APT 29 abused plain RDP connection files, digitally signed with Let's Encrypt certificates, to target over 100 organizations, including military, government, and academia.

Key topics covered in this video:

What is RDP? A quick explanation of the Remote Desktop Protocol and why it's a common target for hackers.
The Attack Vector: How the campaign used targeted spear phishing emails impersonating Microsoft and AWS to trick users into executing a malicious RDP file.
Zero Trust Abuse: The attackers leveraged the Zero Trust concept and even used AI (referencing Amazon Q business) in their pretext to reduce user suspicion.
File System Sharing: The preconfigured RDP file was set to map the user's file system, giving the threat actor (via the RDP server) full access to drop malware and steal data.
Man-in-the-Middle: We discuss the use of the open-source PyRDP tool to monitor clipboards, crawl file systems, and perform credential sync, bypassing the need for users to manually enter passwords.
Persistence Techniques: An analysis of methods for post-exploitation persistence, including dropping link files, abusing the startup folder, DLL side loading, and AppDomain injection.
Detection & Prevention Strategies: Learn practical steps you can take today to protect your organization from this type of attack.

Don't forget to like this video, subscribe to our channel for more threat intelligence insights, and let us know in the comments what specific security topics you'd like us to cover next!

-- About Vectra AI --
Vectra AI, Inc. is the cybersecurity AI company that protects modern networks from modern attacks. When modern cyber attackers bypass existing controls, evade detection and gain access to customers’ data center, campus, remote work, identity, cloud, and IoT/OT environments, the Vectra AI Platform sees their every move, connects the dots in real-time, and stops them from becoming breaches. With 35 patents in AI security and the most vendor references in MITRE D3FEND, organizations worldwide rely on Vectra AI to see and stop attacks their other tools can’t. For more information, visit www.vectra.ai.