Hackers used legit remote monitoring software to hack agency networks
Guidance from the National Security Agency and the Cybersecurity and Infrastructure Security Agency describe a phishing attack on a federal employee that used fake help desk domains to gain access to at least two federal civilian executive branch networks.
The National Security Agency and the Cybersecurity and Infrastructure Security Agency issued new guidance Wednesday to help safeguard remote monitoring and management, or RMM, software from malicious attacks.
The guidance aims to help enterprises identify and mitigate potential breaches tied to the software — which helps managed IT service providers monitor endpoints, networks and devices — after attackers have used phishing emails to gain access to networks through legitimate RMM software, identified by CISA in October 2022.
Specifically, attackers sent a phishing email to a federal civilian executive branch employee in June 2022 with a phone number that led them to visit a malicious domain.
By October, CISA had found malicious activity on two federal civilian executive branch networks through a retrospective analysis of its intrusion detection system known as EINSTEIN, with bi-directional traffic occurring between one network and a malicious domain in mid-September.
"Based on further EINSTEIN analysis and incident response support, CISA identified related activity on many other [federal civilian executive branch] networks," the guidance said.
Officials said in the guidance that attackers have been sending "help desk-themed phishing emails" to federal employees personal and government emails since at least June 2022 with either a link to a malicious domain or a phone number that then directs them to the domain.
That first stage domain then triggers the victim to download an executable file that connects to a second malicious domain, from which a victim downloads RMM software to connect to the attackers' RMM server.
Because the attackers don't install RMM software on the compromised victim's network, they can evade risk management systems by deploying it as a portable executable file and attack other vulnerable machines through local user rights.
"The authoring organizations assess this activity is part of a widespread, financially motivated phishing campaign and is related to malicious typosquatting activity" uncovered in by Reston cyberthreat detection firm Silent Push in October with attackers impersonating companies like Amazon, Microsoft, Geek Squad, McAfee, Norton and Paypal.
Though the discovered campaign aimed for financial gain by luring the victims into paying attackers through a refund scam, CISA warned that other attackers could use legitimate RMM software to evade antivirus and antimalware software.
"Targets can include managed service providers and IT help desks, who regularly use legitimate RMM software for technical and security end-user support, network management, endpoint monitoring and to interact remotely with hosts for IT-support functions," the guidance said. "These threat actors can exploit trust relationships in MSP networks and gain access to a large number of the victim MSP's customers."
The guidance identifies malicious domains tied to the attacks, encourages enterprises to audit their remote access tools to identify RMM software on their networks, review logs for execution of RMM software and take other steps to mitigate potential attacks.
The guidance comes almost three months after CISA disclosed that Iranian government-sponsored advanced persistent threat actors exploited a vulnerability to install cryptocurrency mining software on a federal agency's network.