Cybercriminals recently breached U.S. federal agencies using remote monitoring and management (RMM) software as part of a widespread campaign.
The malicious campaign began in June 2022 or earlier and was detected a few months later, according to an advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
In October 2022, CISA “identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, cyber criminal actors sent phishing emails that led to the download of legitimate RMM software—ScreenConnect (now ConnectWise Control) and AnyDesk—which the actors used in a refund scam to steal money from victim bank accounts.”
CISA noted that while the motive appeared to be financial, the hackers could resell access to cyber criminals or APT groups, who are “known to use legitimate RMM software as a backdoor for persistence and/or command and control (C2).”
A Widespread Campaign
CISA determined via its EINSTEIN intrusion detection system that in mid-June 2022, attackers sent a phishing email containing a phone number to a federal employee’s government email address. The employee called the phone number in the email and was told to visit a malicious website that led to downloads of legitimate RMM software.
In mid-September 2022, traffic was detected between a federal civilian executive branch (FCEB) network and that site.
“Based on further EINSTEIN analysis and incident response support, CISA identified related activity on many other FCEB networks,” the advisory states, noting that the activity is part of a widespread, financially motivated phishing campaign.
The phishing emails either link to a malicious site or direct the recipient to call a phone number to contact “customer care,” from which the attackers advise them to visit the malicious site. A visit to the site triggers a download of an executable, which then downloads the RMM software.
In the June 2022 attack, the attackers used their access through the RMM software to modify the victim’s bank account summary. “The falsely modified bank account summary showed the recipient was mistakenly refunded an excess amount of money,” the advisory states. “The actors then instructed the recipient to ‘refund’ this excess amount to the scam operator.”
Abuse of RMM Software
CISA said the campaign “highlights the threat of malicious cyber activity associated with legitimate RMM software.”
Mike Walters, vice president of vulnerability and threat research at Action1, said RMM vendors should be doing more to prevent abuse of their solutions. “The tricky part is that malicious activity of this type is not always obvious to a vendor,” he said. “But nevertheless, it is possible to detect hackers’ attempts to misuse the solution and terminate the activity before they accomplish their goals.”
“Indicators of threat actors using your tool can be someone setting up an account minutes after creating the associated admin email domain, or regularly deleting all endpoints in an account and replacing them with a completely new set of devices,” Walters added. “Another example of illegitimate activity is when someone deploys the RMM agent on, say, 100 endpoints in 100 different AD domains.”
Protecting Against RMM Abuse
Erfan Shadabi, cybersecurity expert at comforte AG, said companies need to build an organizational culture that values data privacy and encourages employees to slow down and consider the ramifications before they act on requests for sensitive information.
“If business leaders can get behind initiatives that help employees take the time to do the right thing, then the culture of data privacy and data security will be that much stronger,” Shadabi said.
The government advisory’s recommended mitigations include the following:
- Implement best practices to block phishing emails.
- Audit remote access tools to identify currently used and/or authorized RMM software.
- Review logs for execution of RMM software to detect abnormal use of programs running as a portable executable.
- Use security software to detect instances of RMM software only being loaded in memory.
- Implement application controls to manage and control execution of software, including allowlisting RMM programs.
- Require authorized RMM solutions to only be used from within your network over approved remote access solutions, such as VPNs or VDIs.
- Block inbound and outbound connections on common RMM ports and protocols at the network perimeter.
- Implement a user training program and phishing exercises to raise awareness among users.
- Top 12 Cybersecurity Training Courses for Your Employees
- Addressing Remote Desktop Attacks and Security
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.