More cybercriminals are utilizing legit remote monitoring and management (RMM) software in their attacks, as per a new joint notification from the National Security Agency (NSA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Cybersecurity and Infrastructure Security Agency (CISA).
The campaign was earliest discovered in October 2022 and consists of callback phishing. The emails utilized in this campaign are not easy for email security tools to recognize as malicious because there are no malicious URLs or attachments. The emails tell the recipient about a pending bill and a phone number is provided in the email message for the person to call when they wish to prevent the charge from being applied.
The charges normally refer to a software product that is at the end of a free trial. The user is advised that the entire price of the software program will be charged to the user’s account in case no action is done. As a result of the high fee of the software, more likely the number will be called. The call is picked up and social engineering techniques are employed to get the user to visit a malicious website and obtain software, which they are informed is necessary to uninstall the software and avoid the charge. The software program links to a second-stage domain and downloads a lightweight version of reputable remote access software for instance SceenConnect and AnyDesk. When implemented, the software will connect to the RMM server of the attacker that would allow access to the device of the user.
The self-contained, mobile versions of this remote access software do not call for an installation, and consequently do not need administrator privileges. Companies may have security controls set up to restrict the installation of this software on the system, nevertheless, portable versions will get around these security adjustments and will permit the attacker to gain access to the user’s device as a local end user. They can then proceed to other unsecured machines within the local intranet or determine persistent access as a local user service. One of the major purposes of these attacks is to cheat users into logging into their bank accounts to trigger a repayment scam. The attackers continue to be connected while the user views their bank account, and the user’s bank account summary is altered to look like an excessive amount of money was paid back. The user was then advised to reimburse the surplus to the agent of the scam.
CISA performed a retrospective evaluation of the federal civilian executive branch (FCEB) intrusion detection system (IDS) based upon third-party reporting and found malicious activity on two FCEB systems that were compromised employing this strategy. Further examination discovered malicious activity on numerous other FCEB networks, which the organizations could link to a bigger financially driven phishing campaign, linked to a typosquatting campaign found by Silent Push that spoofed Microsoft, Amazon, McAfee, Norton, PayPal, and Geek Squad domains. In the beginning, this campaign required helpdesk-designed e-mail that led users to a web page spoofing one of these companies, then they commenced carrying out callback phishing attacks. The campaign is active as of June 2022.
Although this campaign employs AnyDesk and ScreenConnect, other types of RMM software may be made into self-contained lightweight executables. These sorts of attacks are considerably simpler to do than producing custom malware that offers remote access and sending that malware in phishing emails. The federal bureaus encourage all FCEB agencies and network protectors at other institutions to examine the Indicators of Compromise (IOCs) and mitigations provided in the security advisory to secure against the malicious usage of RMM software.