The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the “authoring organizations”) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders about malicious use of legitimate remote monitoring and management (RMM) software. In October 2022, CISA identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, cyber criminal actors sent phishing emails that led to the download of legitimate RMM software—ScreenConnect (now ConnectWise Control) and AnyDesk—which the actors used in a refund scam to steal money from victim bank accounts.
Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional types of malicious activity. For example, the actors could sell victim account access to other cyber criminal or advanced persistent threat (APT) actors. This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious cyber actors—from cybercriminals to nation-state sponsored APTs—are known to use legitimate RMM software as a backdoor for persistence and/or command and control (C2).
Using portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation—effectively bypassing common software controls and risk management assumptions.
The authoring organizations strongly encourage network defenders to review the Indicators of Compromise (IOCs) and Mitigations sections in this CSA and apply the recommendations to protect against malicious use of legitimate RMM software.
Download the PDF version of this report: pdf, 608 kb.
For a downloadable copy of IOCs, see AA23-025.stix (STIX, 19 kb).
In October 2022, CISA used trusted third-party reporting, to conduct retrospective analysis of EINSTEIN—a federal civilian executive branch (FCEB)-wide intrusion detection system (IDS) operated and monitored by CISA—and identified suspected malicious activity on two FCEB networks:
Based on further EINSTEIN analysis and incident response support, CISA identified related activity on many other FCEB networks. The authoring organizations assess this activity is part of a widespread, financially motivated phishing campaign and is related to malicious typosquatting activity reported by Silent Push in the blog post Silent Push uncovers a large trojan operation featuring Amazon, Microsoft, Geek Squad, McAfee, Norton, and Paypal domains.
The authoring organizations assess that since at least June 2022, cyber criminal actors have sent help desk-themed phishing emails to FCEB federal staff’s personal, and government email addresses. The emails either contain a link to a “first-stage” malicious domain or prompt the recipients to call the cybercriminals, who then try to convince the recipients to visit the first-stage malicious domain. See figure 1 for an example phishing email obtained from an FCEB network.
Figure 1: Help desk-themed phishing email example
The recipient visiting the first-stage malicious domain triggers the download of an executable. The executable then connects to a “second-stage” malicious domain, from which it downloads additional RMM software.
CISA noted that the actors did not install downloaded RMM clients on the compromised host. Instead, the actors downloaded AnyDesk and ScreenConnect as self-contained, portable executables configured to connect to the actor’s RMM server.
Note: Portable executables launch within the user’s context without installation. Because portable executables do not require administrator privileges, they can allow execution of unapproved software even if a risk management control may be in place to audit or block the same software’s installation on the network. Threat actors can leverage a portable executable with local user rights to attack other vulnerable machines within the local intranet or establish long term persistent access as a local user service.
CISA has observed that multiple first-stage domain names follow naming patterns used for IT help/support themed social-engineering, e.g., hservice[.]live, gscare[.]live, nhelpcare[.]info, deskcareme[.]live, nhelpcare[.]cc). According to Silent Push, some of these malicious domains impersonate known brands such as, Norton, GeekSupport, Geek Squad, Amazon, Microsoft, McAfee, and PayPal.[1] CISA has also observed that the first-stage malicious domain linked in the initial phishing email periodically redirects to other sites for additional redirects and downloads of RMM software.
In this campaign, after downloading the RMM software, the actors used the software to initiate a refund scam. They first connected to the recipient’s system and enticed the recipient to log into their bank account while remaining connected to the system. The actors then used their access through the RMM software to modify the recipient’s bank account summary. The falsely modified bank account summary showed the recipient was mistakenly refunded an excess amount of money. The actors then instructed the recipient to “refund” this excess amount to the scam operator.
Although this specific activity appears to be financially motivated and targets individuals, the access could lead to additional malicious activity against the recipient’s organization—from both other cybercriminals and APT actors. Network defenders should be aware that:
Threat actors often target legitimate users of RMM software. Targets can include managed service providers (MSPs) and IT help desks, who regularly use legitimate RMM software for technical and security end-user support, network management, endpoint monitoring, and to interact remotely with hosts for IT-support functions. These threat actors can exploit trust relationships in MSP networks and gain access to a large number of the victim MSP’s customers. MSP compromises can introduce significant risk—such as ransomware and cyber espionage—to the MSP’s customers.
The authoring organizations strongly encourage network defenders to apply the recommendations in the Mitigations section of this CSA to protect against malicious use of legitimate RMM software.
See table 1 for IOCs associated with the campaign detailed in this CSA.
Table 1: Malicious Domains and IP addresses observed by CISA
Domain
|
Description
|
Date(s) Observed
—|—|—
win03[.]xyz
|
Suspected first-stage malware domain
|
June 1, 2022
July 19, 2022
myhelpcare[.]online
|
Suspected first-stage malware domain
|
June 14, 2022
win01[.]xyz
|
Suspected first-stage malware domain
|
August 3, 2022
August 18, 2022
myhelpcare[.]cc
|
Suspected first-stage malware domain
|
September 14, 2022
247secure[.]us
|
Second-stage malicious domain
|
October 19, 2022
November 10, 2022
Additional resources to detect possible exploitation or compromise:
The authoring organizations encourage network defenders to:
This advisory was developed by CISA, NSA, and MS-ISAC in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.
The information in this report is being provided “as is” for informational purposes only. CISA, NSA, and MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.
[4] Karakurt Data Extortion Group | CISA
[5] Compromise of U.S. Water Treatment Facility | CISA
[6] North Korean Advanced Persistent Threat Focus: Kimsuky | CISA
[7] Continued Threat Actor Exploitation Post Pulse Secure VPN Patching | CISA
January 25, 2023: Initial Version
cisa.gov/sites/default/files/publications/CISA%20Insights_Guidance-for-MSPs-and-Small-and-Mid-sized-Businesses_S508C.pdf
cisa.gov/sites/default/files/publications/phishing-infographic-508c.pdf
cisa.gov/uscert/sites/default/files/publications/Chinese-Cyber-Activity-Targeting-Managed-Service-Providers.pdf
media.defense.gov/2019/Sep/09/2002180334/-1/-1/0/Enforce%20Signed%20Software%20Execution%20Policies%20-%20Copy.pdf
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Protecting%20Against%20Malicious%20Use%20of%20Remote%20Monitoring%20and%20Management%20Software+https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a
www.cisa.gov/ais
www.cisa.gov/cyber-hygiene-services
www.cisa.gov/einstein
www.cisa.gov/uscert/kaseya-ransomware-attack
www.cisa.gov/uscert/ncas/alerts/aa20-107a
www.cisa.gov/uscert/ncas/alerts/aa20-107a
www.cisa.gov/uscert/ncas/alerts/aa20-301a
www.cisa.gov/uscert/ncas/alerts/aa20-301a
www.cisa.gov/uscert/ncas/alerts/aa21-042a
www.cisa.gov/uscert/ncas/alerts/aa21-042a
www.cisa.gov/uscert/ncas/alerts/aa22-055a
www.cisa.gov/uscert/ncas/alerts/aa22-055a
www.cisa.gov/uscert/ncas/alerts/aa22-152a
www.cisa.gov/uscert/ncas/alerts/aa22-152a
www.cisa.gov/uscert/ncas/alerts/aa22-277a
www.cisa.gov/uscert/ncas/alerts/aa22-277a
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a&title=Protecting%20Against%20Malicious%20Use%20of%20Remote%20Monitoring%20and%20Management%20Software
www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-public-to-beware-of-tech-support-scammers-targeting-financial-accounts-using-remote-desktop-software
www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-public-to-beware-of-tech-support-scammers-targeting-financial-accounts-using-remote-desktop-software
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a
www.oig.dhs.gov/
www.silentpush.com/blog/silent-push-uncovers-a-large-phishing-operation-featuring-amazon-geek-squad-mcafee-microsoft-norton-and-paypal-domains
www.silentpush.com/blog/silent-push-uncovers-a-large-phishing-operation-featuring-amazon-geek-squad-mcafee-microsoft-norton-and-paypal-domains
www.silentpush.com/blog/silent-push-uncovers-a-large-phishing-operation-featuring-amazon-geek-squad-mcafee-microsoft-norton-and-paypal-domains
www.silentpush.com/blog/silent-push-uncovers-a-large-phishing-operation-featuring-amazon-geek-squad-mcafee-microsoft-norton-and-paypal-domains
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Protecting%20Against%20Malicious%20Use%20of%20Remote%20Monitoring%20and%20Management%20Software&body=www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a