US federal agencies hacked using legitimate remote desktop tools
Image credit: Getty Images
The US government’s cybersecurity agency has warned that criminal, financially motivated hackers compromised federal agencies using legitimate remote desktop software.
CISA said in a joint advisory with the National Security Agency on Wednesday that it had identified a “widespread cyber campaign involving the malicious use of legitimate remote monitoring and management (RMM) software” that had targeted several federal civilian executive agencies – known as FCEBs — a list that includes Homeland Security, the Treasury and the Department of Justice.
CISA said it first identified suspected malicious activity on two FCEB systems in October while conducting a retrospective analysis using Einstein, a government-run intrusion detection system used to protect federal civilian agency networks. Further analysis led to the conclusion that many other state networks were also affected.
CISA linked this activity to a financially motivated phishing campaign first uncovered by threat intelligence firm Silent Push. But CISA did not name the affected FCEB agencies — and did not respond to TechCrunch’s questions.
The unnamed attackers behind this campaign began sending help desk-themed phishing emails to federal employee government and personal email addresses in mid-June 2022, according to CISA. These emails either contained a link to a “first stage” malicious website that impersonated high-profile companies, including Microsoft and Amazon, or prompted the victim to call the hackers, who then tried to trick the employees into visiting the malicious domain.
These phishing emails led to the download of legitimate remote access software – ScreenConnect (now ConnectWise Control) and AnyDesk – which the unnamed hackers used as part of a refund scam to steal money from victims’ bank accounts. These self-powered remote access tools can give IT administrators near-instant access to an employee’s computer with minimal user interaction, but these have been misused by cybercriminals to launch convincing-looking scams.
In this case, and according to CISA, cybercriminals used the remote access software to trick the employee into accessing their bank account. The hackers used their remote access to change the recipient’s bank account statement. “The attackers used the remote access software to alter the victim’s bank account summary information to show that they falsely refunded an excess amount, and then instructed the victim to ‘repay’ this excess amount,” CISA said.
CISA warns that attackers can also use legitimate remote access software as a backdoor to maintain persistent access to public networks. “While this specific activity appears to be financially motivated and targets individuals, the access may lead to additional malicious activity against the recipient’s organization – from both other cybercriminals and APT actors,” the advisory said.