<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Franklin Gothic Book";
panose-1:2 11 5 3 2 1 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.xmsobodytext, li.xmsobodytext, div.xmsobodytext
{mso-style-name:x_msobodytext;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.xcontentpasted1
{mso-style-name:x_contentpasted1;}
span.xcontentpasted2
{mso-style-name:x_contentpasted2;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:440228451;
mso-list-template-ids:-1888705362;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:1943491344;
mso-list-template-ids:-1815550732;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">FYSA<o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<div style="margin-top:12.55pt;margin-right:31.7pt;margin-bottom:12.0pt">
<p class="MsoNormal" style="background:white"><span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif"><o:p> </o:p></span></span></p>
<p class="MsoNormal" style="background:white"><span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State
Information Sharing and Analysis Center (MS-ISAC) released </span></span><span class="xcontentpasted2"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">a
</span></span><span class="xcontentpasted2"><span style="font-size:12.0pt;color:black"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa23-025a"><span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif">joint Cybersecurity Advisory</span></a></span></span><span class="xcontentpasted2"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">
(CSA)</span></span><span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> to warn network defenders about malicious use of legitimate remote monitoring and management (RMM) software. </span></span><span style="color:black"><o:p></o:p></span></p>
</div>
<p class="xmsobodytext" style="mso-margin-top-alt:12.55pt;margin-right:31.7pt;margin-bottom:12.0pt;margin-left:0in;background:white">
<span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">Recently, CISA assessed a potential, widespread cyber campaign involving the malicious use of legitimate RMM software. In October 2022, cybercriminal actors
sent phishing emails that led to the eventual download of legitimate RMM software, ScreenConnect (now called ConnectWise Control) and AnyDesk, enabling them to access the bank accounts of those recipients who fell victim to the phishing. The actors used this
access in a refund scam to steal money from the victims.</span></span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsobodytext" style="mso-margin-top-alt:12.55pt;margin-right:31.7pt;margin-bottom:12.0pt;margin-left:0in;background:white">
<span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">The threat actors used portable executables of RMM software as a way to establish local user access without the need for administrative privilege and full
software installation, effectively bypassing common software controls and risk management assumptions. With local user access, threat actors can leverage a portable executable to attack other vulnerable machines within the local intranet, or to establish long
term persistent access as a local user service. CISA, NSA and MS-ISAC assess this activity is part of a widespread, financially motivated phishing campaign that is related to malicious typosquatting activity reported by Silent Push in a
</span></span><span style="color:black"><a href="https://www.silentpush.com/blog/silent-push-uncovers-a-large-phishing-operation-featuring-amazon-geek-squad-mcafee-microsoft-norton-and-paypal-domains"><span style="font-family:"Franklin Gothic Book",sans-serif">blog
post</span></a></span><span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">. </span></span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsobodytext" style="mso-margin-top-alt:12.55pt;margin-right:31.7pt;margin-bottom:12.0pt;margin-left:0in;background:white">
<span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">Although the campaign described in this advisory appears financially motivated, organizations should be aware that it could lead to additional malicious activity.
For instance, threat actors could sell victim account access to other cybercriminal actors or advanced persistent threat (APT) actors. Also, malicious cyber actors are known to use this access via legitimate software as a backdoor for persistence and for command
and control (C2). </span></span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsonormal" style="background:white"><span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:#030303">This advisory provides several facets about using RMM software that network defenders should know. The advisory
contains a complete listing, but a few of them are: </span></span><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3;background:white">
<span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:#030303">Threat actors can maliciously leverage any legitimate RMM software, not just ScreenConnect and AnyDesk; </span></span><span style="font-family:"Franklin Gothic Book",sans-serif"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3;background:white">
<span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:#030303">Because threat actors can download legitimate RMM software as self-contained, portable executables, they can bypass both administrative privilege requirements
and software management control policies to use it on victim systems; </span></span><span style="font-family:"Franklin Gothic Book",sans-serif"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3;background:white">
<span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:#030303">The use of RMM software generally does not trigger antivirus or antimalware defenses; and </span></span><span style="font-family:"Franklin Gothic Book",sans-serif"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3;background:white">
<span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:#030303">RMM software also allows cyber threat actors to avoid using custom malware. </span></span><span style="font-family:"Franklin Gothic Book",sans-serif"><o:p></o:p></span></li></ul>
<p class="xmsobodytext" style="mso-margin-top-alt:12.55pt;margin-right:31.7pt;margin-bottom:12.0pt;margin-left:0in;background:white">
<span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">The advisory, “</span></span><span style="color:black"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa23-025a"><span style="font-family:"Franklin Gothic Book",sans-serif">Protecting
Against the Malicious Use of Remote Monitoring and Management Software</span></a></span><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">,<span class="xcontentpasted1">” provides indicators of compromise (IOCs) to help network defenders
detect if this activity is on their networks. It also provides additional resources and mitigations to help organizations protect against possible exploitation or compromise. </span></span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsobodytext" style="mso-margin-top-alt:12.55pt;margin-right:31.7pt;margin-bottom:12.0pt;margin-left:0in;background:white">
<span class="xcontentpasted1"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">And as always, thank you for your continued collaboration.</span></span><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsonormal" align="center" style="text-align:center;background:white"><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><span class="xcontentpasted1"><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"> </span></span><b><span style="color:#1F497D">Theresa A. Masse</span></b><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cybersecurity State Coordinator/Advisor, Region 10 (Oregon)
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cybersecurity and Infrastructure Security Agency<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Department of Homeland Security<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Phone: (503) 930-5671
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Email:</span><span style="font-size:10.0pt;color:#777777">
</span><a href="mailto:theresa.masse@cisa.dhs.gov"><span style="font-size:10.0pt;color:#0563C1">theresa.masse@cisa.dhs.gov</span></a><u><span style="font-size:10.0pt;color:#0760C1"><o:p></o:p></span></u></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><img border="0" width="97" height="97" style="width:1.0138in;height:1.0138in" id="Picture_x0020_1" src="cid:image001.png@01D930AF.FBB36B70"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
</div>
</body>
</html>