At least two federal civilian agencies were the unfortunate victims of a refund scam campaign, perpetrated through the use of remote monitoring and management (RMM) software. CISA, the NSA and the MS-ISAC discovered the campaign in October, but it appears the cybercriminals had been at work since June, and were still going strong in September.
The hackers sent phishing emails that led to the download of legitimate RMM software, which they used to steal money from victim bank accounts. It is a worrying trend, as this tactic could be used for other nefarious purposes, and could even be sold to government-backed hacking groups.
The RMM software allows hackers to establish local user access without the need for higher administrative privileges, effectively bypassing common software controls and risk management assumptions. The phishing emails sent to employees' personal and work email addresses were help desk-themed, and contained links to malicious domains.
The hackers used portable executables that can launch within a user's device without installation, which allowed them to attack other vulnerable machines within the local intranet and establish long-term, persistent access as a local user service. The domains used in the first stage of the scam attempted to impersonate well-known companies and brands, and once the hackers had connected to a victim's system, they changed bank account summaries to make it look like the victim had been refunded too much money.
Both ConnectWise Control (formerly ScreenConnect) and AnyDesk have been used in previous cyber attacks, so it is no surprise they were used in this campaign. RMM software typically does not trigger antivirus or antimalware defenses, making it an ideal tool for cybercriminals.
This highlights the continuing need for organisations to invest in timely and appropriate security awareness training so that they are better equipped to identify and report any suspicious phishing emails or other social engineering attacks.
