CISA, NSA and MS-ISAC today warned in a joint advisory that attackers are increasingly using legitimate remote monitoring and management (RMM) software for malicious purposes.
More worryingly, CISA discovered malicious activity within the networks of several Federal Civilian Executive (FCEB) agencies using the EINSTEIN Intrusion Detection System after a Silent Push report was released in mid-October. 2022.
This activity was related to the “widespread financially motivated phishing campaign” reported by Silent Push and was detected on “many other FCEB networks” after being first spotted on a single FCEB network in mid-September 2022 .
The attackers behind this campaign began sending help desk-themed phishing emails to federal personnel government and personal email addresses since at least mid-June 2022.
“The authoring organizations assess that since at least June 2022, cybercriminals have been sending help desk-themed phishing emails to the personal and government email addresses of FCEB federal personnel,” the notice reads. .
“The emails either contain a link to a malicious ‘first stage’ domain or instruct recipients to call the cybercriminals, who then attempt to convince the recipients to visit the malicious first stage domain.”
Recall phishing attacks like those targeting FCEB staff in this campaign have seen a massive 625% growth since Q1 2021 and have also been adopted by ransomware gangs.
These groups include those that split off from the Conti cybercrime operation, such as the Silent Ransom group, Quantum (now Dagon Locker), and Royal.
Unlike normal phishing emails, callback phishing attacks do not include a link to a hacker’s website. Instead, they use decoys, such as high-priced subscription renewals, to convince a target to call a listed phone number.
When a target calls the number, they will be asked to open a website to download the software required to redeem the renewal price.
When emails embedded malicious links instead, the phishing domains used were designed to impersonate top brands including Microsoft, Amazon and Paypal.
Clicking on the embedded links would open the default web browser and automatically download malware designed to connect to a second-stage domain to download portable versions of AnyDesk and ScreenConnect that connect to the attackers’ RMM server.
The use of portable remote desktop software executables allows malicious actors to access target systems as a local user without the need for administrator permissions or a full software installation, thereby circumventing controls software and challenging common risk management assumptions.
Breach of FCEB networks linked to refund scammers
Once they managed to gain a foothold on their targets’ devices, threat actors used their access to try to trick victims into logging into their bank accounts so they could run refund scams .
“While this specific activity appears to be financially motivated and targets individuals, access could lead to additional malicious activity against the recipient’s organization, both from other cybercriminals and APT actors” , says the notice.
“Malicious cyber actors could leverage these same techniques to target National Security Systems (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) networks and use legitimate RMM software. on work and home devices and accounts,” the NSA said. added.
Defenders are encouraged by CISA, NSA, and MS-ISAC to use indicators of compromise shared with the advisory to detect potential exploitation or compromise.
The first-stage domain names used in the campaign follow naming patterns commonly used in IT help/support-themed social engineering scams: myhelpcare[.]online. myhelpcare[.]cc, hservice[.]live, gscare[.]live, nhelpcare[.]info, desk care[.]live, nhelpcare[.]cc, win03[.]xyz, win01[.]xyz, 247secure[.]we.
Another active domain in this campaign seen by BleepingComputer is winbackup01[.]X Y Z.
They also provided a list of measures designed to help mitigate these risks and ensure networks are protected against incoming attack attempts.
To protect against potential security breaches, companies and organizations should audit installed remote access tools and identify authorized RMM software.
Using application controls to prevent running unauthorized RMM software and using only authorized RMM software on approved remote access solutions, such as VPN or VDI, are also recommended, as is the block incoming and outgoing connections on standard RMM ports and protocols.
To further strengthen security, organizations should implement training programs and phishing drills to educate their employees about the risks of phishing and spearphishing emails.