Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

US Government Agencies Warn of Malicious Use of Remote Management Software

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are warning organizations of malicious attacks using legitimate remote monitoring and management (RMM) software.

IT service providers use RMM applications to remotely manage their clients’ networks and endpoints, but threat actors are abusing these tools to gain unauthorized access to victim environments and perform nefarious activities.

In malicious campaigns observed in 2022, threat actors sent phishing emails to deploy legitimate RMM software such as ConnectWise Control (previously ScreenConnect) and AnyDesk on victims’ systems, and abuse these for financial gain.

The observed attacks focused on stealing money from bank accounts, but CISA, NSA, and MS-ISAC warn that the attackers could abuse RMM tools as backdoors to victim networks and could sell the obtained persistent access to other cybercriminals or to advanced persistent threat (APT) actors.

Last year, multiple federal civilian executive branch (FCEB) employees were targeted with help desk-themed phishing emails, both via personal and government email addresses.

Links included in these messages directed the victims to a first-stage malicious domain, which automatically triggered the download of an executable designed to connect to a second-stage domain and download RMM software from it, as portable executables that would connect to attacker-controlled servers.

“Using portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation—effectively bypassing common software controls and risk management assumptions,” the US government agencies warn.

In some cases, the email’s recipient was prompted to call the attackers, who then attempted to convince them to visit the malicious domain.

Advertisement. Scroll to continue reading.

In October 2022, Silent Push uncovered similar malicious typosquatting activity, in which the adversaries impersonated brands such as Amazon, Geek Squad, McAfee, Microsoft, Norton, and PayPal to distribute the remote monitoring tool WinDesk.Client.exe.

In the attacks targeting federal agencies, the threat actors used the RMM tools to connect to the recipient’s system, then entice them to log into their bank account.

The attackers used the unauthorized access to modify the victim’s bank account summary to show that a large amount of money had been mistakenly refunded, instructing the individual to send the amount back to the scam operator.

“Although this specific activity appears to be financially motivated and targets individuals, the access could lead to additional malicious activity against the recipient’s organization—from both other cybercriminals and APT actors,” CISA, NSA, and MS-ISAC note.

The agencies underline that any legitimate RMM software could be abused for nefarious purposes, that the use of portable executables allows attackers to bypass existing policies and protections, that antivirus defenses would not be typically triggered by legitimate software, and that RMM tools provide attackers with persistent backdoor access to an environment, without the use of custom malware.

CISA, NSA, and MS-ISAC also warn that the legitimate users of RMM software, such as managed service providers (MSPs) and IT help desks, are often targeted by cybercriminals looking to gain access to a large number of the victim MSP’s customers, which could lead to cyberespionage or to the deployment of ransomware and other types of malware.

To stay protected, organizations are advised to implement phishing protections, audit remote access tools, review logs to identify the abnormal use of RMM software, use security software to detect the in-memory execution of RMM software, implementing proper application control policies, restrict the use of RMM software from within the local network, and train employees on phishing.

Related: CISA Updates Infrastructure Resilience Planning Framework

Related: NSA, CISA Explain How Threat Actors Plan and Execute Attacks on ICS/OT

Related: NSA Publishes Best Practices for Improving Network Defenses

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Register

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

Orchid Security has appointed a new Chief Product Officer and three advisors.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.