U.S. federal agencies identified a widespread cyber campaign leveraging legitimate remote monitoring and management software to compromise federal networks.
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released the joint cybersecurity advisory on the malicious use of remote monitoring and management (RMM) software in helpdesk-themed scams.
Using the intrusion detection system EINSTEIN, CISA has identified several federal victims since June 2022.
Hackers target federal agencies in refund scams
The joint cybersecurity advisory stated that scammers start by sending “help desk-themed phishing emails” to the victims’ email addresses. The messages contain expensive subscription renewal notices with links to malicious domains or a phone number for order cancellation.
“The emails either contain a link to a ‘first-stage’ malicious domain or prompt the recipients to call the cybercriminals, who then try to convince the recipients to visit the first-stage malicious domain.”
When the victims call, the scammer instructs them to download software to facilitate the refund process. Clicking the first-stage links redirects victims to second-stage domains prompting the download of portable remote access tools such as AnyDesk or ConnectWise Control.
The attackers then connect to the victim’s computer using legitimate RMM software and lured their targets into logging into their bank accounts. They then modified the victim’s bank account summary and claimed that the target was mistakenly refunded an excess amount of money, which the scam operator requested a refund.
“Much of the hacking of this sort is done by mid-size and large-size call centers sitting in ally countries,” said Roger Grimes, data-driven defense evangelist at KnowBe4. “They have executives, senior management, and employees who work 9-5 on the clock every day. They have scripts to follow, departments to hand off victims to depending on the phase of the attack, HR, paychecks, and bonuses.”
Sophisticated APT attacks via remote monitoring and management software
Although the campaign is financially motivated, CISA warned that it could lead to “additional types of malicious activity.” The federal agencies warned that fraudsters could sell access to other attackers, including advanced persistent threat actors (APTs) and state-sponsored hackers. CISA also warned that attackers could gain persistence by using self-contained portable RMM software executables that circumvent administrator privileges and access control policies. The executables run with local user rights and could gain access as a local user service and attack other network devices.
“Legitimate tools and protocols are widely used by cybercriminals to both maintain persistence and obfuscate their lateral movement,” said Tom Kellermann, CISM, Senior VP of cyber strategy at Contrast Security. “Organizations must expand threat hunting to identify the C2 and remote access trojans that exist and eradicate them before they deal with secondary infections.”
Legitimate remote monitoring and management could also help hackers avoid malware detection and operate stealthily on federal networks. According to Grimes, remote monitoring and management software is popular with hackers: “The reason why is that legitimate software and services are far less likely to be detected as a malicious threat by both the user and any computer security software they are running.”
According to CISA, remote monitoring and management software also helps hackers to avoid custom software when creating backdoors. Additionally, many managed service providers (MSPs) and IT support firms frequently use remote monitoring and management software to perform various tasks on clients’ computers. Hackers could abuse the existing customer trust to compromise downstream clients.
“The fact is that threat actors continually innovate and will continue to innovate techniques to gain access to networks,” said James Graham, VP at RiskLens. “A foundational strategy should focus on resilience first. Understand which assets are most critical to your business – get out of the mindset of cybersecurity and look to the bottom line. Prioritize your list of assets and analyze each for type of probable loss (C-I-A). Quantifying that probable loss in dollar terms will clarify risk and the cost-effective mitigations to apply.”
Hackers breached multiple federal agencies using remote monitoring and management software
Using the FCEB-wide intrusion detection system, EINSTEIN, CISA identified threat actors’ activity on multiple federal civilian executive branch (FCEB) agency organizations.
In June 2022, CISA discovered that threat actors had tricked an FCEB employee into calling a threat actor’s phone number embedded in a phishing email. Similarly, the agency discovered bi-directional traffic between an FCEB network and a social engineering domain myhelpcare[.]cc in September 2022. CISA had also “identified related activity on many other FCEB networks,” suggesting that threat actors were actively targeting federal agencies using remote monitoring and management software.
Subsequently, the NSA warned that hackers could target National Security Systems (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) networks using legitimate RMM software.
Protecting federal agencies from RMM software-based attacks
The joint cybersecurity advisory encouraged federal agencies to implement email security rules that block spam messages from reaching their target’s inboxes.
Additionally, they should conduct employee security awareness training on responding to phishing emails and the risks of visiting suspicious websites or downloading unsolicited attachments.
Other recommendations include auditing remote monitoring and management software installed on federal networks to identify (un)authorized software.
Monitoring RMM software logs would also help organizations detect abnormal usage of portable executables. Network defenders should only allow authorized RMM software over approved networks such as virtual private networks (VPNs).
Lastly, they should block remote connections over standard RMM ports that attackers usually target.