Cybercriminals are actively exploiting remote management software to aid fraud and steal money from victims, a joint advisory by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (CISA) said. National Security Agency (NSA) has warned.
Alerts are issued after detecting a email phishing campaign trick victims into downloading legitimate remote monitoring and management (RMM) software, allowing attackers to gain access to bank accounts.
It’s important that it does so without triggering an anti-virus warning because the RMM tool is a genuine app with a verified use case — and that’s what cybercriminals can do. exploit as a workaround, instead of trying to trick victims into downloading malware that may raise warnings.
Also: Cybersecurity personnel are having a hard time. Here’s how to better support them
According to CISA and NSAAlthough this campaign is specifically targeted at finance, the remote access that is gained means that attackers can use it for other malicious purposes, such as stealing usernames and password as well as install a backdoor to compromise the system, which can be used to launch ransomware attack.
The attacks, believed to be the work of a financially motivated cybercrime gang, have been going on since at least June 2022 and began with phishing emails designed to manipulate victims .
According to the consultant, a common phishing pattern is being leveraged in these attacks is an announcement that an annual subscription is about to be automatically renewed at a cost of hundreds of dollars.
This is designed to scare the victim into calling the ‘help desk’ listed in the email. If they do, the helpdesk — run by scammers — will try to convince victims to download remote management software to ‘help’ them answer questions and cancel payments.
But in reality, no payment is imminent and all the attacker wants to do is convince the victim to log into their online banking account while the remote management software is active. motion. Attackers use this access to bank accounts to steal money from victims.
In this campaign, the attackers are using ScreenConnect and AnyDesk, but the advisory warns that they can use any legitimate remote management software. And because attackers can download legitimate RMM software as a standalone, portable executable, they can bypass both the requirement for administrative privileges and the software management control policy.
“Threats often target legitimate users of RMM software. Targets may include managed service providers (MSPs) and IT helpdesk who frequently use RMM software. use legitimate RMM software for technical and security end-user support, network management, endpoint monitoring, and to remotely interact with servers for IT support functions,” warns the warning. .
Also: Email is our greatest productivity tool. That’s why scams are so dangerous for everyone
According to CISAActions that can be taken to help avoid falling victim to this and similar campaigns include implementing best practices for blocking phishing emails and carefully monitoring activity to identify scams. using suspicious or unauthorized software online.
The agency also recommends implementing a user training program and running phishing exercises to raise users’ awareness of the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments.
MORE ABOUT NETWORK SECURITY
