Joint advisory warns of remote monitoring and management software abuse.

The US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a joint advisory outlining the abuse of legitimate remote monitoring and management (RMM) software. The advisory describes a large, financially motivated phishing campaign that managed to compromise “many” Federal civilian executive branch (FCEB) networks.

A refund scam as phishbait.

The advisory states, “In this campaign, after downloading the RMM software, the actors used the software to initiate a refund scam. They first connected to the recipient’s system and enticed the recipient to log into their bank account while remaining connected to the system. The actors then used their access through the RMM software to modify the recipient’s bank account summary. The falsely modified bank account summary showed the recipient was mistakenly refunded an excess amount of money. The actors then instructed the recipient to ‘refund’ this excess amount to the scam operator.”

The agencies note that while this campaign was financially motivated, “the access could lead to additional malicious activity against the recipient’s organization—from both other cybercriminals and APT actors.”

Legitimate tools abused for criminal purposes.

Tom Kellermann, CISM, Senior VP of cyber strategy at Contrast Security, sees the advisory as a reminder of the way perfectly legitimate tools are susceptible to abuse.

“Legitimate tools and protocols are widely used by cybercriminals to both maintain persistence and obfuscate their lateral movement. Organizations must expand threat hunting to identify the C2 and remote access trojans that exist and eradicate them before they deal with secondary infections. The game has changed, today's cybercriminals do not merely want to burglarize your environment rather they want to hijack it as evidenced by the growing adoption of island hopping.”

Roger Grimes, data-driven defense evangelist at KnowBe4, applauds the warning, but notes that this kind of thing has been going on for years.

"As usual, I applaud CISA for alerting people and organizations to this threat. With that said, this has been a very common, increasing, modality for attackers for nearly a decade now. The reason why is that legitimate software and services are far less likely to be detected as a malicious threat by both the user and any computer security software they are running. The even smarter cyber thieves are "living off the land" as much as possible, using the tools, programs, and utilities that exist in the operating systems that their victims have. That way, they are even less likely to raise any red flags. They do as much evil as they can using built-in tools and scripts. It's far harder to stop those threats than even the threats that use legitimate software.

"The only way to prevent these sorts of attacks is to educate everyone about them, how they look, how to prevent, and how to report. There is no other solution, at least right now. Teach everyone you know...co-workers, family, and friends, to be aware of the two major signs of a scam. The first is any unexpected message, no matter how it arrives (e.g., email, web site, text message, phone call, in-person, etc.). If you were not expecting it and it arrived in your inbox, it could be a scam. If the sender is requesting something you've never done before for that particular requester, then the odds of the request being a scam significantly jump. So teach everyone you know that if an unexpected message arrives asking you to do something you've never done before or done before for that requester, that you research the request's legitimacy using some alternate, trusted method (such as calling the purported sender directly using a known good phone number) before performing it. If we could teach the world these two traits of a scam, a lot of social engineers and malicious call centers would be out of work."

Cyber crime is often run like a business.

KnowBe4's Grimes sees crooked call centers as the root of much evil. "Much of the hacking of this sort is done by mid-size and large-size call centers sitting in ally countries," he wrote. "They have executives, senior management, and employees who work 9-5 on the clock every day. They have scripts to follow, departments to hand off victims to depending on the phase of the attack, HR, paychecks, and bonuses. Everyone involved knows what they are doing is illegal. The countries and communities they are in know what they are doing is illegal. But a combination of personal greed and bribes allows them to continue to harm victims around the world unencumbered by local law enforcement, leaders, and politicians operating in an ethical manner. Until we solve this problem of how we prevent and shutdown malicious call centers, this problem is going to continue."

The sort of attack mounted in this case is a species of the social engineering genus. Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, places the warning in the larger context of social engineering:

"Social engineering is the use of trickery, misdirection, and other methods of subterfuge to fool a person into giving up sensitive information to a threat actor. Each one of us has been exposed (probably very recently) to social engineering tricks, whether through email appeals to click a link or launch an attachment or other forms of deceptive communication. This also seems to be the case with this particular incident. All it takes is one moment of inattention or gullibility, and the threat actor carrying out social engineering techniques is one step closer to the ultimate goal. Organizations can do two things. One, build an organizational culture that values data privacy and encourages employees to slow down and consider all of the ramifications before acting on requests for sensitive information. If business leaders can get behind initiatives that help employees take the time to do the right thing, then the culture of data privacy and data security will be that much stronger. Two, IT leaders can consider data-centric security as a means to protect sensitive data rather than the perimeters around data. Tokenization for example not only makes sensitive data elements incomprehensible, but it also preserves data format so business applications and users can still work with the data in protected states. If you never de-protect data, chances are that even if it falls into the wrong hands, the sensitive information cannot be compromised."

Spearphishing for specific victims.

Lior Yaari, CEO and co-founder of Grip Security, wrote about what this sort of attack means to the victim. “Becoming a victim of this attack is similar to handing over your entire computer to a hacker and allowing them to access whatever data is stored on it or another nefarious purpose. It seems to be targeting consumers, but this could spill over to enterprise systems because people often use personal credentials for work. It is always prudent to double check any type of automated installation of software that is initiated by a website to ensure that you are installing legitimate software. This attack will likely produce assets for criminals to leverage in other campaigns.”

Paul Bischoff, privacy advocate at Comparitech, sees the targeting of the attacks as interesting, and significant:

"These are the sorts of attacks that public figures should already be on the lookout for. But unlike traditional phishing, these campaigns are more targeted. Attackers create social media accounts for the people they're impersonating to make the scam more convincing, and they use lures that are tailored to their targets. Once one person is compromised, the attackers use that account to impersonate the victim and phish their colleagues. Those follow-on attacks are even more convincing because they come from a trusted account. The same old advice still applies: never click on links in unsolicited emails, and always verify the identity of the sender. RMM software is frequently used in tech support scams to hijack victim's computers. Portable RMMs don't need to be installed, so they bypass restrictions that prevent malicious programs from being installed. But there are other ways to prevent malicious RMMs, including allowlisting authorized RMM programs, detecting RMM software that's only loaded in memory, and limiting the use of RMM to your organization's VPN."