CISA, the NSA and MS-ISAC warned in a joint advisory today that attackers are increasingly using legitimate Remote Monitoring and Management (RMM) software for malicious purposes.
Of even greater concern, following the release of a silent push report in mid-October 2022, CISA discovered malicious activity on the networks of several Federal Civilian Executive Branch Agencies (FCEB) using the EINSTEIN Intrusion Detection System.
This activity was associated with the “widespread financially motivated phishing campaign” reported by Silent Push and was detected on “many other FCEB networks” after first being detected on a single FCEB network in mid-September 2022.
The attackers behind this campaign have been sending helpdesk phishing emails to federal government employees and private email addresses since at least mid-June 2022.
“The originator organizations believe that since at least June 2022, cybercriminals have been sending helpdesk-themed phishing emails to the personal and government email addresses of FCEB federal employees,” the advisory reads.
“The emails either contain a link to a first-tier malicious domain or encourage recipients to call the cybercriminals, who then try to convince recipients to visit the first-tier malicious domain.”
Callback phishing attacks like the ones targeted in this campaign against FCEB employees have seen a massive 625% growth since Q1 2021 and have also been adopted by ransomware gangs.
These groups include those that forked off from cybercrime operation Conti, such as the Silent Ransom Group, Quantum (now Dagon Locker), and Royal.
Callback phishing email (BleepingComputer)
Unlike regular phishing emails, callback phishing attacks do not include a link to an attacker’s website. Instead, they use baits such as B. High-priced subscription renewals to persuade a target to call a listed phone number.
When a target calls the number, they are prompted to open a website to download the software required for the renewal price refund.
When the emails instead embedded malicious links, the phishing domains used were designed to impersonate high-profile brands like Microsoft, Amazon, and Paypal.
Clicking on the embedded links would open the default web browser and automatically download malware designed to connect to a second-stage domain to download portable versions of AnyDesk and ScreenConnect that connect to the RMM server of the connect attackers.
The use of portable remote desktop software executable files allows malicious actors to gain access to the target person’s systems as a local user without requiring administrator privileges or a full software installation, thereby bypassing software controls and challenging common risk management assumptions be asked.
Violation of the FCEB network related to refund scammers
Once they managed to gain a foothold on their targets’ devices, the attackers used their access to trick victims into logging into their bank accounts so they could initiate refund scams.
“Although this specific activity appears to be financially motivated and targeted at individuals, access could lead to additional malicious activity against the recipient’s organization – both by other cybercriminals and APT actors,” the advisory reads.
“Malicious cyber actors could use the same techniques to attack National Security Systems (NSS), Department of Defense (DoD) and Defense Industrial Base (DIB) networks and target legitimate RMM software on both work and home devices and accounts use,” the NSA added.
Defenders are encouraged by CISA, NSA, and MS-ISAC to use indicators of compromise shared with the advisory to identify potential exploits or compromises.
The first tier domain names used in the campaign follow naming patterns commonly used in social engineering scams involving IT help/support: myhelpcare[.]on-line. my help[.]cc, hservice[.]live, gscare[.]live, nhelpcare[.]info, deskcareme[.]live, nhelpcare[.]cc, win03[.]xyz, win01[.]xyz, 247 sure[.]us.
Another active domain in this campaign that BleepingComputer saw is winbackup01[.]xyz.
CISA encourages network defenders to review the recommendation for indicators of compromise, best practices, and recommended remediation actions that highlight the threat of additional types of malicious activity using RMM, including its use as a persistence and/or command and control (C2) backdoor. — CISA
They also provided a list of measures to help mitigate such risks and ensure networks are protected from incoming attack attempts.
To protect against potential security breaches, businesses and organizations should review installed remote access tools and identify authorized RMM software.
Using application controls to prevent unauthorized RMM software from running and only using authorized RMM software via approved remote access solutions such as VPN or VDI is also recommended, as is blocking inbound and outbound connections on standard RMM ports and protocols.
To further improve security, organizations should implement training programs and phishing exercises to raise employee awareness of the risks associated with phishing and spearphishing emails.