Dive Brief:
- Malicious actors are using remote management and monitoring software to launch phishing attacks against federal employees, authorities warned Wednesday.
- The Cybersecurity and Infrastructure Security Agency, National Security Agency and Multi-State Information Sharing and Analysis Center said since June 2022 cybercriminals have sent help desk themed phishing emails to civilian executive branch agency staff using their personal and government email addresses.
- The lure aims to get the targeted workers to link to malicious domains in order to steal money from the targeted victims. However, authorities warn the same tactics could be used by APT actors in order to gain persistence within a network.
Dive Insight:
The attacks have leveraged otherwise legitimate RMM tools like ScreenConnect — now ConnectWise Control — and AnyDesk to launch financially motivated attacks against federal workers.
The advisory included a sample phishing email seen in September that claimed a Geek Squad subscription will be debited from the victim bank account. The email contains a phone number to get the victim to call to cancel the subscription and get a refund.
Though attacks were seen against staff in civilian executive branch agencies, federal officials are concerned that sophisticated actors could use the same techniques against more sensitive targets.
“Malicious actors can leverage legitimate remote monitoring and management software to target national security systems, Department of Defense and defense industrial base personnel and data on work and home devices and accounts,” an NSA spokesperson said.
As part of its mission to secure these agencies and systems, NSA released this guidance “so network defenders can protect their home and work devices and accounts from bad actors,” the spokesperson said.
“As such, RMM has become a more prominent vector for initial access, persistence, and data exfiltration across the [state, local, tribal and territorial governments] and critical infrastructure space, particularly when those organizations are targeted by financially motivated ransomware actors,” said TJ Sayers, cyber threat intelligence manager at the Center for Internet Security.
The advisory cites research from Silent Push, which had been investigating criminal infrastructure that was impersonating PayPal. Researchers found a wide range of impersonated brands and criminal activity poses a threat to a much larger segment of the private sector.
“Our observations indicate that this is intended for a wider victim audience and all businesses should be wary,” Ken Bagnall, founder and CEO of Silent Push, said.
