The US government cybersecurity agency warned that criminal, financially motivated hackers compromised federal agencies with legitimate remote desktop software.
CISA on Wednesday, in a joint advisory with the National Security Agency, issued a “widespread exploitation of legitimate remote monitoring and management software (RMM)” targeting multiple private federal law enforcement agencies (known as FCEBs). identified a cyber campaign. A list that includes the Departments of Homeland Security, Treasury, and Justice.
CISA said in October that while conducting a retrospective analysis using Einstein, a government-run intrusion detection system used to protect private federal agency networks, he found two in his FCEB systems. It said it was the first to identify suspicious malicious activity. Additional investigation has revealed that other other government networks are also impacted.
CISA: Federal agencies hacked using legitimate remote desktop tools https://t.co/uutWRnY1XM— Nicolas Krassas (@Dinosn) January 26, 2023
CISA has linked this activity to a financial phishing campaign first discovered by threat intelligence firm Silent Push. However, CISA has not named his FCEB agency involved. It also did not respond to TechCrunch’s question.
According to CISA, the unnamed actors behind this campaign began sending helpdesk phishing emails to private email addresses of government officials and federal employees in mid-June 2022. These emails either contained links to malicious “tier 1” websites masquerading as well-known companies such as Microsoft or Amazon, or urged victims to call the hackers, who allegedly harassed their employees. attempted to trick the visit into a malicious domain.
These phishing emails led to his downloading ScreenConnect (now ConnectWise Control) and his AnyDesk, legitimate remote access software. An unnamed hacker used it in a refund scam to steal money from victims’ bank accounts. These self-hosted remote access tools give IT administrators near-instantaneous access to employee computers with minimal user interaction, but they have been abused by cybercriminals to convince fraudsters. I’ve been working on it.
In this case, according to CISA, cybercriminals used remote access software to trick employees into accessing their bank accounts. Hackers modified the recipient’s bank account profile via remote access.“The attackers used remote access software to modify the victim’s bank account summary information to indicate that they had mistakenly refunded an overage amount, and instruct the victim to ‘refund’ the overage amount. instructed,” he said, CISA said.
CISA warns that attackers can also use legitimate remote access software as a backdoor to maintain persistent access to government networks. “While this particular activity appears to target individuals for financial gain, the access represents additional malicious activity against the recipient organization by both other cybercriminals and his APT actors. ,” the advisory said.