A phishing scam using legitimate remote monitoring and management (RMM) software was used to target at least two federal agencies in the U.S.
Specifically, cyber-criminal actors sent phishing emails that led to the download of legitimate RMM software – ScreenConnect (now ConnectWise Control) and AnyDesk – which they then used in a refund scam to steal money from victim’s bank accounts.
The joint advisory was released by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
It appears that the phishing attacks, which took place in mid-June and mid-September 2022, were motivated by financial gain. However, the threat actors could weaponize the unauthorized access to conduct a wide range of activities, including selling it to other hacktivists.
It has long been a concern that criminal groups use remote software to establish access to a host without having to escalate privileges or obtain other footholds.
In one instance, the threat actors sent a phishing email containing a phone number to an employee’s government email address, directing the employee to a malicious website. According to CISA, the emails are part of social engineering attacks targeting federal employees that have focused on help desks since June 2022.
Subscription-related messages can contain a “first-stage” rogue domain or use a callback phishing tactic to entice recipients to call an actor-controlled phone number to visit the same site.
No matter what approach is used, the malicious domain triggers a binary download that connects to a second-stage environment to retrieve the RMM software.
RMM software will be used to launch a refund scam. To accomplish this, the actors instruct the victims to log into their bank accounts, then modify their bank account summary to make it appear that an excess amount of money has been refunded.
As a final step, scam operators ask the email recipients to refund the additional amount, effectively defrauding them.
A similar telephone-based attack delivery method has also been adopted by other actors, including Luna Moth (aka Silent Ransom), according to CISA.
This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious cyber actors — from cyber criminals to nation-state sponsored APTs — have been known to use legitimate RMM software as a backdoor malware for persistence and Command and Control (C2).
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.
