When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
Threat Actors Using RMM Software To Target Federal Agencies
Chris Swagler | February 2nd, 2023
Phishing attacks are being used by threat actors to target legitimate remote monitoring and management (RMM) software. A successful breach against two federal civilian executive branch networks linked to malicious typo-squatting activities triggered the latest joint federal alert. Legitimate RMM software can be used as a backdoor for command-and-control or persistence on victims’ networks if exploited by threat actors. In October, the Cybersecurity and Infrastructure Security Agency discovered the FCEB compromise through a third-party retrospective analysis of EINSTEIN. EINSTEIN is a federal civilian executive branch (FCEB)-wide intrusion detection system that is operated and monitored by CISA, which discovered suspected malicious activity on two FCEB networks.
RMM Software Used by Threat Actors
The first incident occurred in mid-June when threat actors sent a phishing email containing a phone number to an FCEB employee’s government email address. After that, the employee dialed the number, which directed them to a malicious website, myhelpcare[.]online. CISA discovered bi-directional traffic between an FCEB network and myhelpcare[.]cc in September. A more in-depth EINSTEIN study and incident response assistance discovered similar activity on numerous other FCEB networks. The FECB penetration revealed that the cybercriminals behind the campaign were sending help desk-themed phishing emails to FCEB federal employees’ personal and government email addresses.
According to a combined CISA, National Security Agency, and Multi-State Information Sharing and Analysis Center (MS-ISAC) advisory, the current widespread campaign employs phishing emails to fool users into downloading legitimate RMM software. Threat actors frequently target legitimate RMM software users, including managed service providers (MSPs) and IT help desks, which frequently use legitimate RMM software for technical and security end-user support, network management, endpoint monitoring, and to interact remotely with hosts for IT-support functions. Threat actors’ intention is to exploit trust relationships in MSP networks to gain access to numerous victims’ MSP clients. MSPs’ breaches can expose their clients to significant risk, including ransomware and cyber espionage. The malicious either contains a link to first-stage malicious domains or instructs recipients to contact the threat actors, who subsequently attempt to deceive recipients into visiting the first-stage malicious website. When victims assess the malicious domain, an executable is downloaded and connects to a second-stage malicious domain, which downloads additional RMM software.
The threat actors in the CISA-discovered activity were employing a refund scam and stealing money from victims’ bank accounts through ScreenConnect, ConnectWise Control, and AnyDesk. Additionally, threat actors don’t install RMM clients downloaded from the compromised host. Instead, AnyDesk and ScreenConnect are installed as self-contained, portable executables configured to connect to threat actors’ RMM servers. Installation of the portable executables doesn’t require the users’ context or administrator privileges. Using portable executables of RMM software allows threat actors to establish local user access without needing administrative privilege and full software installation, which can bypass common software controls and risk management assumptions effectively.
Unapproved software can be run even though risk management controls are in place to audit or restrict the same software’s installation on networks. Threat actors can employ portable executables with local users’ privileges to attack other vulnerable machines with local intranets or set up long-term persistent access as a local service. It’s a financially motivated campaign that can lead to additional malicious activities, including selling victims’ account access to other cybercriminals or advanced persistent threat actors. CISA discovered some phishing attacks’ first-stage malicious domain links, which send users to other sites for additional redirects and RMM software downloads. When users download the RMM software, threat actors will utilize it to begin refund scams that connect to victims’ systems and trick users into logging into their bank accounts while connected to the system.
Threat actors with access to RMM allow them to change users’ bank account summaries appearing to be mistakenly reimbursed an enormous amount of money. Threat actors will instruct the recipient to refund the enormous amount to the scam operator. When scanning for PayPal typosquatting domains in October, a threat intelligence team discovered the activities. Researchers discovered a threat network posing as many global brand names and infecting machines with malicious files disguised as a remote monitoring tool, WinDesk.Client.exe. The enormous trojan operation impersonates the domains of Amazon, Microsoft, Geek Squad, McAfee, Norton, and PayPal. To protect against the malicious use of legitimate RMM software, all companies are strongly encouraged to evaluate the provided indicators of compromise and recommended mitigations. The alert includes identified first-stage domain naming patterns and other threat actors’ methods.
Companies and organizations are recommended to audit installed remote access tools and identify authorized RMM software to prevent potential security breaches. It’s also recommended to use application controls to prevent unauthorized RMM software from being executed and to utilize authorized RMM software over approved remote access solutions, including VPN, and block both inbound and outbound connections on standard RMM ports and protocols. With threat actors using phishing attacks to target valuable data, companies need to implement training programs and phishing exercises help employees to be aware of the risks connected to phishing and spear phishing emails. At SpearTip, we offer phishing awareness training to partners to enhance skills related to defending against potential cyber threats. Our training tests the discernment of your team educates employees regarding common phishing tactics and indicators and identifies related security gaps in your environment. After the training, our team provides clear and thorough strategies about how to harden your environment and implement ongoing awareness training.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.
How can individuals or businesses protect themselves from threat actors using RMM software?
In order to protect themselves from threat actors using RMM software, individuals and businesses can implement several security measures. These may include regularly updating and patching their software and operating systems, using strong and unique passwords, enabling two-factor authentication, regularly monitoring network traffic for suspicious activity, and employing robust antivirus and anti-malware solutions. Additionally, it is crucial to train employees on recognizing and avoiding phishing attempts and suspicious emails.
What are some common signs that RMM software is being used for malicious purposes?
There are several signs that may indicate the malicious use of RMM software. These include unexplained and unauthorized remote access to systems, unusual system behavior or performance issues, unauthorized changes to system configurations or settings, unexpected installation or presence of unknown software or tools, and suspicious network traffic patterns. Any of these signs should be thoroughly investigated to determine if RMM software is being misused.
Are there any legal actions being taken against individuals or groups who use RMM software for malicious purposes?
Legal actions are being taken against individuals and groups who use RMM software for malicious purposes. Law enforcement agencies and cybersecurity firms collaborate to identify and track down threat actors involved in such activities. Depending on the jurisdiction and severity of the offense, these individuals or groups can face criminal charges, prosecution, and potential imprisonment. It is essential for victims of such attacks to report incidents promptly to the relevant authorities to aid in the investigation and potential legal actions against the perpetrators.
Stay Connected With SpearTip
Inside the SOC Newsletter
View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.
ShadowSpear Platform
Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.
ShadowSpear Demo
Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.
