The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are warning organizations of malicious attacks using legitimate remote monitoring and management (RMM) software.
IT service providers use RMM applications to remotely manage their clients’ networks and endpoints, but threat actors are abusing these tools to gain unauthorized access to victim environments and perform nefarious activities.
In malicious campaigns observed in 2022, threat actors sent phishing emails to deploy legitimate RMM software such as ConnectWise Control (previously ScreenConnect) and AnyDesk on victims’ systems, and abuse these for financial gain.
The observed attacks focused on stealing money from bank accounts, but CISA, NSA, and MS-ISAC warn that the attackers could abuse RMM tools as backdoors to victim networks and could sell the obtained persistent access to other cybercriminals or to advanced persistent threat (APT) actors.
Last year, multiple federal civilian executive branch (FCEB) employees were targeted with help desk-themed phishing emails, both via personal and government email addresses.
Links included in these messages directed the victims to a first-stage malicious domain, which automatically triggered the download of an executable designed to connect to a second-stage domain and download RMM software from it, as portable executables that would connect to attacker-controlled servers.
“Using portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation—effectively bypassing common software controls and risk management assumptions,” the US government agencies warn.
In some cases, the email’s recipient was prompted to call the attackers, who then attempted to convince them to visit the malicious domain.
In October 2022, Silent Push uncovered similar malicious typosquatting activity, in which the adversaries impersonated brands such as Amazon, Geek Squad, McAfee, Microsoft, Norton, and PayPal to distribute the remote monitoring tool WinDesk.Client.exe.
In the attacks targeting federal agencies, the threat actors used the RMM tools to connect to the recipient’s system, then entice them to log into their bank account.
The attackers used the unauthorized access to modify the victim’s bank account summary to show that a large amount of money had been mistakenly refunded, instructing the individual to send the amount back to the scam operator.
“Although this specific activity appears to be financially motivated and targets individuals, the access could lead to additional malicious activity against the recipient’s organization—from both other cybercriminals and APT actors,” CISA, NSA, and MS-ISAC note.
The agencies underline that any legitimate RMM software could be abused for nefarious purposes, that the use of portable executables allows attackers to bypass existing policies and protections, that antivirus defenses would not be typically triggered by legitimate software, and that RMM tools provide attackers with persistent backdoor access to an environment, without the use of custom malware.
CISA, NSA, and MS-ISAC also warn that the legitimate users of RMM software, such as managed service providers (MSPs) and IT help desks, are often targeted by cybercriminals looking to gain access to a large number of the victim MSP’s customers, which could lead to cyberespionage or to the deployment of ransomware and other types of malware.
To stay protected, organizations are advised to implement phishing protections, audit remote access tools, review logs to identify the abnormal use of RMM software, use security software to detect the in-memory execution of RMM software, implementing proper application control policies, restrict the use of RMM software from within the local network, and train employees on phishing.
Related: CISA Updates Infrastructure Resilience Planning Framework
Related: NSA, CISA Explain How Threat Actors Plan and Execute Attacks on ICS/OT
Related: NSA Publishes Best Practices for Improving Network Defenses