Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
News

CISA, NSA, MS-ISAC warn network defenders to protect against malicious use of RMM software

January 26, 2023
2023.01.26 CISA, NSA, MS-ISAC warn network defenders to protect against malicious use of RMM software

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued on Wednesday a joint Cybersecurity Advisory (CSA) to warn network defenders about the malicious use of legitimate remote monitoring and management (RMM) software. The agencies have called upon organizations to review the Indicators of Compromise (IOCs) and mitigations sections in the advisory. Furthermore, they must apply the recommendations to protect against the malicious use of legitimate RMM software.

“In October 2022, CISA identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, cyber criminal actors sent phishing emails that led to the download of legitimate RMM software—ScreenConnect (now ConnectWise Control) and AnyDesk—which the actors used in a refund scam to steal money from victim bank accounts,” the agencies wrote in the advisory. “Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional types of malicious activity.” 

The advisory cited that for instance, the hackers could sell victim account access to other cyber-criminal or advanced persistent threat (APT) actors. “This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious cyber actors—from cybercriminals to nation-state sponsored APTs—are known to use legitimate RMM software as a backdoor for persistence and/or command and control (C2),” it added.

Using portable executables of RMM software provides a way for hackers to establish local user access without the need for administrative privilege and full software installation, which helps to bypass common software controls and risk management assumptions.

The advisory assesses that since at least June 2022, cyber-criminal actors have sent help desk-themed phishing emails to FCEB federal staff’s personal, and government email addresses. “The emails either contain a link to a ‘first-stage’ malicious domain or prompt the recipients to call the cybercriminals, who then try to convince the recipients to visit the first-stage malicious domain.”

The recipient visiting the first-stage malicious domain triggers the download of an executable, according to the advisory. “The executable then connects to a ‘second-stage’ malicious domain, from which it downloads additional RMM software. CISA noted that the actors did not install downloaded RMM clients on the compromised host. Instead, the actors downloaded AnyDesk and ScreenConnect as self-contained, portable executables configured to connect to the actor’s RMM server,” it added.

In the campaign, the advisory said after downloading the RMM software, the hackers used the software to initiate a refund scam. They first connected to the recipient’s system and enticed the recipient to log into their bank account while remaining connected to the system. The cybercriminals then used their access to modify the recipient’s bank account summary. The falsely modified bank account summary showed the recipient was mistakenly refunded an excess amount of money. The hackers then instructed the recipient to ‘refund’ this excess amount to the scam operator.

Although this specific activity appears to be financially motivated and targets individuals, the access could lead to additional malicious activity against the recipient’s organization—from both other cyber criminals and APT actors. 

The advisory alerted network defenders to be aware that although the cybercriminal actors in this campaign used ScreenConnect and AnyDesk, threat actors can maliciously leverage any legitimate RMM software. “Because threat actors can download legitimate RMM software as self-contained, portable executables, they can bypass both administrative privilege requirements and software management control policies. The use of RMM software generally does not trigger antivirus or antimalware defenses,” it added.

Additionally, malicious cyber actors are known to leverage legitimate RMM and remote desktop software as backdoors for persistence and for C2. Further, RMM software allows cyber threat actors to avoid using custom malware.

Hackers often target legitimate users of the software. Targets can include managed service providers (MSPs), who regularly use legitimate RMM software for technical and security end-user support, network management, endpoint monitoring, and interact remotely with hosts for IT-support functions. These threat actors can exploit trust relationships in MSP networks and gain access to a large number of the victim MSP’s customers. MSP compromises can introduce significant risks—such as ransomware and cyber espionage—to the MSP’s customers.

The advisory recommends that network defenders implement best practices to block phishing emails, audit remote access tools on the network to identify currently used and/or authorized RMM software, review logs for the execution of RMM software to detect abnormal use of programs running as a portable executable, and deploy security software to detect instances of the software only being loaded in memory. 

Additionally, the agencies also suggest the implementation of application controls to manage and control the execution of software, including allow listing RMM programs, and requiring authorized RMM solutions only to be used from within the network over approved remote access solutions.

It also advised blocking both inbound and outbound connections on common RMM ports and protocols at the network perimeter. Moreover, organizations must implement a user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. They must also reinforce the appropriate user response to phishing and spearphishing emails.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems