CISA: Federal Employees Targeted in Malicious Cyber Threat Campaign Using RMM Software

January 26, 2023 - UPDATE 1/27/2023 - This article has been updated to include a commment from ConnectWise.

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint cybersecurity advisory (CSA) that shed light on the malicious use of legitimate remote monitoring and management (RMM) software by cyber threat actors. The tactic was used in a pervasive campaign across multiple federal civilian executive branch (FCEB) networks.

“In October 2022, CISA identified a widespread cyber campaign involving the malicious use of legitimate RMM software,” CISA stated in the CSA.

“Specifically, cyber criminal actors sent phishing emails that led to the download of legitimate RMM software—ScreenConnect (now ConnectWise Control) and AnyDesk—which the actors used in a refund scam to steal money from victim bank accounts.”

RMM helps managed IT service providers maintain client IT infrastructure and systems by enabling them to keep tabs on endpoint device monitoring, updates, and patches. The software allows managed service providers (MSPs) to manage client systems remotely and efficiently. As such, RMM software is widely used across all industries.

READ MORE: Downloaders, Ransomware, Among Top Healthcare Cyberattack Tactics in Q4

As of June 2022, the authoring entities have observed threat actors sending help desk-themed phishing emails to FCEB staff’s personal and government email addresses. CISA found out about the campaign in October 2022, when it conducted a retrospective analysis of EINSTEIN (a FCEB-wide intrusion detection system) and identified suspicious network activity.

Further analysis revealed malicious activity on other FCEB networks. CISA concluded that “this activity is part of a widespread, financially motivated phishing campaign and is related to malicious typosquatting activity” uncovered in a Silent Push blog post.

After downloading the RMM software, threat actors typically use it to initiate a refund scam, convincing the target to log into their bank account while still connected to the system.

“The actors then used their access through the RMM software to modify the recipient’s bank account summary,” the CSA noted.

“The falsely modified bank account summary showed the recipient was mistakenly refunded an excess amount of money. The actors then instructed the recipient to ‘refund’ this excess amount to the scam operator.”

READ MORE: Specialty Care Clinic Reports Potential PHI Exposure Caused by Tracking Pixels

The CSA stressed that this specific tactic has been used to target individuals, but has the potential to expand to malicious activity against the organization as a whole, especially if threat actors sell account access to other cybercriminals and advanced persistent threat (APT) actors.

The three authoring organizations provided detailed indicators of compromise (IOCs) and recommended mitigations, urging all network defenders to implement their recommendations to protect against this campaign.

The malicious use of legitimate RMM software is especially dangerous because it does not generally trigger antivirus defenses, the CSA stated. In addition, defenders should note that threat actors can leverage any legitimate RMM software, even though they have commonly used ScreenConnect and AnyDesk in the past.

“Threat actors often target legitimate users of RMM software. Targets can include managed service providers (MSPs) and IT help desks, who regularly use legitimate RMM software for technical and security end-user support, network management, endpoint monitoring, and to interact remotely with hosts for IT-support functions,” the authoring organizations wrote.

“These threat actors can exploit trust relationships in MSP networks and gain access to a large number of the victim MSP's customers. MSP compromises can introduce significant risk—such as ransomware and cyber espionage—to the MSP’s customers.”

Network defenders should implement phishing best practices, audit remote access tools, and review logs to detect malicious instances of RMM software use.

"ConnectWise takes the security of our products and our partners very seriously. Unfortunately, software products intended for good use, including remote control tools, can be frequently used by bad actors for malicious purposes. As a company, we strive to be proactive and work diligently to prevent this from happening through training and education as well as the use of comprehensive security tools to detect harmful behavior. We remain closely aligned with our partners, and regularly reiterate cybersecurity best practices. Phishing campaigns, particularly email phishing attacks, continue to get more sophisticated, mirroring legitimate email and web content. More sophisticated attempts may not include some of the standard phishing attack indicators like misplaced graphics or spelling inconsistencies. We encourage everyone to stay vigilant in looking for clues, particularly, in email domains and links, to avoid mistakenly clicking on nefarious content. When alerted of this behavior, ConnectWise regularly issues take-down requests to remove malicious sites and domains. We are reaching out to the impacted federal agencies for additional information that can help us take further steps to educate and support partners."