The Cybersecurity and Infrastructure Security Agency (CISA) has released a new advisory to warn network defenders about the malicious use of legitimate remote monitoring and management (RMM) software tools.
The document, published Wednesday in collaboration with the National Security Agency (NSA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), also mentions an October 2022 cyber campaign involving the malicious use of RMM solutions.
“Specifically, cyber-criminal actors sent phishing emails that led to the download of legitimate RMM software – ScreenConnect (now ConnectWise Control) and AnyDesk – which the actors used in a refund scam to steal money from victim bank accounts,” CISA wrote.
According to the government agencies, the campaign appeared financially motivated, but it could potentially lead to additional types of malicious activity.
“For example, the actors could sell victim account access to other cyber-criminal or advanced persistent threat (APT) actors,” reads the advisory.
After gaining access to the target network via phishing or other techniques, the threat actors (who CISA connected to nation-state-sponsored APTs) used legitimate RMM software as a backdoor for persistence or command and control (C2).
“Using portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation – effectively bypassing common software controls and risk management assumptions,” CISA said.
The CISA advisory includes Indicators of Compromise (IOCs) and Mitigations regarding the aforementioned campaign to aid network defenders in protecting their systems from the malicious use of legitimate RMM software.
“The tricky part is that malicious activity of this type is not always obvious to a vendor,” commented Mike Walters, VP of vulnerability and threat research at Action1."
“Indicators of threat actors using your tool can be someone setting up an account minutes after creating the associated admin email domain or regularly deleting all endpoints in an account and replacing them with a completely new set of devices.”
Still, the security expert told Infosecurity that companies can deploy solutions to detect hackers’ attempts to misuse the solution and terminate their activity before they accomplish their goals.
“I would emphasize the need for organizations to enforce anti-phishing controls and build strong cybersecurity awareness. It includes fine-tuning their spam filters and implementing multi-factor authentication (MFA) to eliminate threat actors’ chances to use corporate email domains to distribute phishing emails through stolen credentials.”
The CISA advisory comes a few months after the Agency published the final part of its three-section series on how to secure the software supply chain.