Cyber criminals are actively exploiting remote management software to aid phishing scams and steal money from victims, a joint advisory by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) has warned.
The warning comes following the discovery of an email phishing campaign that tricks victims into downloading legitimate remote monitoring and management (RMM) software, which allows attackers to gain access to bank accounts.
Crucially, it does so without triggering antivirus alerts because the RMM tool is a genuine application with a verified case for use — and that’s something that cyber criminals can exploit as a workaround, rather than attempting to trick victims into downloading malware that could set off warnings.
According to CISA and the NSA, while this campaign is specifically targeting finances, the remote access gained means attackers could use it for other malicious purposes, such as stealing usernames and passwords, and installing backdoors to compromise systems, which could be used to launch ransomware attacks.
The attacks, believed to be the work of a financially motivated cyber-criminal gang, have been ongoing since at least June 2022, and begin with phishing emails designed to manipulate victims.
According to the advisory, one common phishing template being leveraged in these attacks is a message that claims an annual subscription is about to be automatically renewed at a cost of hundreds of dollars.
This is designed to panic victims into calling the ‘help desk’ listed in the email. If they do this, the help desk — operated by scammers — will attempt to convince the victim to download remote management software to ‘help’ them with their query and cancel the payment.
But in reality, no payment is about to occur and all the attackers want to do is convince the victim to log in to their online bank account while the remote management software is active. The attackers use this access to the bank account to steal money from the victim.
In this campaign, the attackers are using ScreenConnect and AnyDesk, but the advisory warns that they can use any legitimate remote management software. And because attackers can download legitimate RMM software as self-contained, portable executables, they can bypass both administrative privilege requirements and software management control policies.
“Threat actors often target legitimate users of RMM software. Targets can include managed service providers (MSPs) and IT help desks, who regularly use legitimate RMM software for technical and security end-user support, network management, endpoint monitoring, and to interact remotely with hosts for IT-support functions,” warns the advisory.
According to CISA, actions that can be taken to help avoid falling victim to this and similar campaigns include implementing best practices to block phishing emails, and to carefully monitor activity to identify suspicious or unwarranted use of software on the network.
The agency also suggests implementing a user-training program and running phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments.
MORE ON CYBERSECURITY