[CDP-development] Joint Cybersecurity Advisory on Protecting Against Malicious Use of Remote Monitoring and Management Software
Masse, Theresa
theresa.masse at cisa.dhs.gov
Wed Jan 25 11:27:44 PST 2023
FYSA
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory<https://www.cisa.gov/uscert/ncas/alerts/aa23-025a> (CSA) to warn network defenders about malicious use of legitimate remote monitoring and management (RMM) software.
Recently, CISA assessed a potential, widespread cyber campaign involving the malicious use of legitimate RMM software. In October 2022, cybercriminal actors sent phishing emails that led to the eventual download of legitimate RMM software, ScreenConnect (now called ConnectWise Control) and AnyDesk, enabling them to access the bank accounts of those recipients who fell victim to the phishing. The actors used this access in a refund scam to steal money from the victims.
The threat actors used portable executables of RMM software as a way to establish local user access without the need for administrative privilege and full software installation, effectively bypassing common software controls and risk management assumptions. With local user access, threat actors can leverage a portable executable to attack other vulnerable machines within the local intranet, or to establish long term persistent access as a local user service. CISA, NSA and MS-ISAC assess this activity is part of a widespread, financially motivated phishing campaign that is related to malicious typosquatting activity reported by Silent Push in a blog post<https://www.silentpush.com/blog/silent-push-uncovers-a-large-phishing-operation-featuring-amazon-geek-squad-mcafee-microsoft-norton-and-paypal-domains>.
Although the campaign described in this advisory appears financially motivated, organizations should be aware that it could lead to additional malicious activity. For instance, threat actors could sell victim account access to other cybercriminal actors or advanced persistent threat (APT) actors. Also, malicious cyber actors are known to use this access via legitimate software as a backdoor for persistence and for command and control (C2).
This advisory provides several facets about using RMM software that network defenders should know. The advisory contains a complete listing, but a few of them are:
* Threat actors can maliciously leverage any legitimate RMM software, not just ScreenConnect and AnyDesk;
* Because threat actors can download legitimate RMM software as self-contained, portable executables, they can bypass both administrative privilege requirements and software management control policies to use it on victim systems;
* The use of RMM software generally does not trigger antivirus or antimalware defenses; and
* RMM software also allows cyber threat actors to avoid using custom malware.
The advisory, "Protecting Against the Malicious Use of Remote Monitoring and Management Software<https://www.cisa.gov/uscert/ncas/alerts/aa23-025a>," provides indicators of compromise (IOCs) to help network defenders detect if this activity is on their networks. It also provides additional resources and mitigations to help organizations protect against possible exploitation or compromise.
And as always, thank you for your continued collaboration.
Theresa A. Masse
Cybersecurity State Coordinator/Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse at cisa.dhs.gov<mailto:theresa.masse at cisa.dhs.gov>
[cid:image001.png at 01D930AF.FBB36B70]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230125/d83dd16b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 16152 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230125/d83dd16b/attachment-0001.png>
More information about the CDP-development
mailing list