A Note From the CISA, NSA, and MS-ISAC
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) have identified a financially motivated, malicious cyber campaign that uses Remote Monitoring and Management (RMM) software to grant cyber criminals local user access without the need for privileges typically reserved for administrators. This access allowed cybercriminals to circumvent any software controls or risk management assumptions. In addition to financial motivation, threat actors with access to an organization’s endpoints and network through an RMM could sell this access to more ruthless cyber criminals with more malicious intents.
How it Happened
Like most other cyber attacks, the attack originated with phishing scams in June of 2022. It was discovered when bi-directional traffic began going back and forth between the network of a federal civilian executive branch (FCEB) and a malicious site. These phishing scams were themed around “product refunds,” which were sent to the FCEB’s employees’ official government emails. At the bottom of said emails was a phone number that directed unsuspecting victims to a malicious site sending and receiving traffic with the FCEB. When the recipient of one of these emails arrived at the mentioned malicious site, it would trigger the redirection to a second-stage domain with malicious properties, downloading AnyDesk and ScreenConnect as self-contained executables configured to connect to a threat actor’s RMM server.
The Motive
CISA explains that threat actors often target users of legitimate RMM software like MSPs and IT help desks, those who regularly use these helpful tools for technical and security end-user support, network management, endpoint monitoring, and to interact remotely with hosts for IT-support functions. MSPs make prime victims to threat actors using weaponized RMMs, because they are trusted by countless organizations to handle access to their endpoints and networks, thus having access to sensitive data like personal data, financial data, or healthcare-related data.
Mitigation Tactics
Recommendations to mitigate this style of attack have been established and shared in a collaborative effort by the CISA, NSA, and MS-ISA. IT Professionals using RMM tools should implement strategies into their security stack, including, but not limited to:
- Audit remote access tools on your network to identify currently used and/or authorized RMM software.
- Implement application controls to manage and control the execution of software, including allowlisting RMM programs.
- Use only authorized RMM software on your network over approved remote access solutions, such as VPN or VDI.
- Block both inbound and outbound connections on common RMM ports and protocols.