A “widespread cyber effort” that employed legitimate remote monitoring and management (RMM) software to spread a phishing scam affected at least two federal departments in the United States. To steal money from victims’ bank accounts through a refund scam, cybercriminals exploited the legal RMM software ScreenConnect (now ConnectWise Control) and AnyDesk, which they downloaded after sending phishing emails, according to U.S. cybersecurity officials.
The National Security Agency (NSA), the Multi-State Information Sharing and Analysis Center, and the Cybersecurity and Infrastructure Security Agency (CISA) jointly released the advisory (MS-ISAC). The attacks, which took place in the middle of June and the middle of September 2022, were motivated by money, but threat actors might use the unlawful access as a weapon to carry out a variety of operations, including selling it to other hacker groups.
RMM Software Used For Malicious Activities
The use of remote software by criminal organizations has long been a cause for concern since it provides a quick and easy approach to gain access as a local user to a host without having to elevate rights or use other methods to establish a foothold.
In one instance, the threat actors used a government employee’s email address to send a phishing email with a phone number that led the recipient to a malicious website. The emails, according to CISA, are a component of social engineering assaults using a help desk theme that threat actors have been orchestrating against federal employees since at least June 2022.
The subscription-related emails either use a “first-stage” rogue domain or employ callback phishing to trick the recipients into dialing a phone number under the control of the actor in order to visit the same domain. Whatever method is employed, the malicious domain causes the download of a binary, which connects to a second-stage domain, and retrieves the RMM software in the form of portable executables.
The ultimate objective is to start a refund scam by using the RMM software. This is accomplished by giving the victims instructions to enter into their bank accounts, after which the actors alter the bank account summary to make it seem like the victim received an overpayment by accident.
The scammers ask the email recipients to reimburse the extra money as a last step, stealing their money in the process.
The behavior was connected by CISA to a “large trojan operation” that cybersecurity company Silent Push had previously exposed in October 2022. Nevertheless, other actors like Luna Moth have adopted similar telephone-focused attack delivery techniques (Silent Ransom).
The authorities cautioned that this campaign “highlights the vulnerability of criminal cyber activity connected with genuine RMM software.” It is well known that malicious cyber actors, such as cyber criminals and nation-state-sponsored APTs, employ genuine RMM software as a backdoor for persistence and/or command and control (C2) after breaching the target network using phishing or other methods.
Measures To Mitigate The Risks
They also offered a list of precautions that may be taken to lessen these risks and guarantee that networks are safe from incoming attack attempts. Companies and organizations should audit deployed remote access tools and identify permitted RMM software to safeguard against potential security breaches.
Blocking both inbound and also outbound connections on typical RMM ports and protocols is also advised, as is the use of application controls to prevent the execution of unwanted RMM software. Authorized RMM software should only be used over trusted remote access solutions like VPN or VDI.
Organizations should create training programs and phishing exercises to increase staff understanding of the dangers associated with phishing and spearphishing emails. This will further improve security.
Examine the logs created by the execution of the RMM software in order to identify any irregular use of programs that are executed as portable executables.
Conclusion
In a joint advisory released today, CISA, the NSA, and MS-ISAC expressed concern that hackers increasingly utilize lawful remote monitoring and management (RMM) software for nefarious ends. More concerningly, after the publication of a Silent Push report in mid-October 2022, CISA used the EINSTEIN intrusion detection system to find malicious activity within the networks of numerous federal civilian executive branch (FCEB) agencies. After being discovered on one FCEB network in mid-September 2022, this activity was connected to the “widespread, financially driven phishing campaign” mentioned by Silent Push and was found on “many other FCEB networks.”
