U.S. Federal Agencies Fall Victim to Cyber Attack Utilizing Legitimate RMM Software

26 January 2023Ravie LakshmananCyber ​​threat/phishing

Hackers using RMM software

At least two federal agencies in the United States fell victim to a “widespread cyber campaign” that involved the use of legitimate remote monitoring and management (RMM) software to perpetuate a phishing scam.

“Specifically, cybercriminal actors sent phishing emails that led to the download of legitimate RMM software — ScreenConnect (now ConnectWise Control) and AnyDesk — which the actors used in a chargeback scam to steal money from victims’ bank accounts,” US cybersecurity officials said .

The joint advice comes from the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

The attacks, which took place between mid-June and mid-September 2022, have financial motives, although threat actors could weaponize the unauthorized access to perform a wide range of activities, including selling this access to other hacking teams.

The use of remote software by criminal groups has long been a problem, as it offers an efficient way to establish local user access on a host without the need to elevate privileges or gain a foothold in other ways.

In one case, the threat actors sent a phishing email containing a phone number to an employee’s public email address, prompting the person to a malicious domain. The emails, CISA said, are part of help desk-themed social engineering attacks orchestrated by the threat actors since at least June 2022 targeting federal employees.

The subscription-related messages either contain a “first-level” rogue domain or engage in a tactic known as callback phishing to lure recipients into calling an actor-controlled phone number to visit the same domain.

Regardless of the approach used, the malicious domain triggers the download of a binary file that then connects to a second-stage domain to retrieve the RMM software in the form of portable executables.

The end goal is to exploit the RMM software to initiate a refund scam. This is achieved by instructing the victims to log into their bank accounts, after which the actors alter the bank account statement to make it appear as if the person was mistakenly refunded an excess amount.

In the final step, the scam operators encourage the email recipients to refund the extra amount, effectively cheating them out of their money.

CISA attributed the activity to a “major Trojan operation”, which was revealed by cybersecurity firm Silent Push in October 2022. That said, similar phone-oriented attack delivery methods have been adopted by other actors, including Luna Moth (Silent Ransom).

“This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious cyber actors – from cybercriminals to nation-state sponsored APTs – are known to use legitimate RMM software as a backdoor for persistence and/or command and control (C2),” the agencies warned.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Leave a Reply

Your email address will not be published. Required fields are marked *