Feds Warn of Malicious Use of RMM Software in Callback Phishing Attacks

By | January 26, 2023

Cybercriminals are increasingly using legitimate remote monitoring and management (RMM) software in their attacks, according to a recent joint alert from the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

The campaign was first identified in October 2022 and involves callback phishing. The emails used in this campaign are difficult for email security solutions to identify as malicious as they contain no malicious hyperlinks or attachments. The emails notify the recipient about an impending charge and a phone number is provided in the email for the user to call if they want to avoid the charge being applied.

The charges typically relate to a software solution that is coming to the end of a free trial. The user is told that the full price of the software will be charged to the user’s account if no action is taken. Due to the high cost of the software, there is a reasonably high chance that the number will be called. The call is answered and social engineering techniques are used to convince the user to navigate to a malicious domain and download software, which they are told is required to remove the software and prevent the charge. The software connects to a second-stage domain and downloads a portable version of legitimate remote access software such as AnyDesk and ScreenConnect. If executed, the software will connect to the attacker’s RMM server and provide the attacker with access to the user’s device.

The self-contained, portable versions of these remote access solutions do not require an installation, and as such do not require administrator privileges. Organizations may have security controls in place to prohibit the installation of this software on the network, but portable versions will bypass these security controls and will allow the attacker to access the user’s device as a local user. They can then move to other vulnerable machines within the local intranet or establish persistent access as a local user service.  One of the main aims of these attacks is to trick users into logging into their bank accounts to initiate a refund scam. The attackers remain connected while the user accesses their bank account, and the user’s bank account summary is modified to make it appear that an excess amount of money had been refunded. The user was then told to refund the excess to the operator of the scam.

CISA conducted a retrospective analysis of the federal civilian executive branch (FCEB) intrusion detection system (IDS) based on third-party reporting and identified malicious activity on two FCEB networks that had been compromised using this technique. Further analysis identified malicious activity on many other FCEB networks, which the agencies were able to link to a broader financially motivated phishing campaign, related to a typosquatting campaign uncovered by Silent Push that spoofed Amazon, Microsoft, Geek Squad, McAfee, Norton, and PayPal domains. Initially, this campaign involved helpdesk-themed emails that directed users to a website spoofing one of these brands, then they started conducting callback phishing attacks. The campaign has been active since at least June 2022.

While this campaign leverages AnyDesk and ScreenConnect, other types of RMM software could be packaged into self-contained portable executables. These types of attacks are far easier to conduct than creating custom malware that provides remote access and distributing that malware in phishing emails. The federal agencies encourage all FCEB agencies and network defenders at other organizations to review the Indicators of Compromise (IOCs) and mitigations provided in the security alert to protect against the malicious use of RMM software.

The post Feds Warn of Malicious Use of RMM Software in Callback Phishing Attacks appeared first on HIPAA Journal.