The U.S. government’s cybersecurity agency has warned that criminal financially motivated hackers compromised federal agencies using legitimate remote desktop software.
CISA said in a joint advisory with the National Security Agency on Wednesday that it had identified a “widespread cyber campaign involving the malicious use of legitimate remote monitoring and management (RMM) software” that had targeted multiple federal civilian executive branch agencies — known as FCEBs — a list that includes Homeland Security, the Treasury, and the Justice Department.
CISA said it first identified suspected malicious activity on two FCEB systems in October while conducting a retrospective analysis using Einstein, a government-operated intrusion detection system used for protecting federal civilian agency networks. Further analysis led to the conclusion that many other government networks were also affected.
CISA linked this activity to a financially motivated phishing campaign first uncovered by threat intelligence firm Silent Push. But CISA did not name the affected FCEB agencies — and did not respond to TechCrunch’s questions.
The unnamed attackers behind this campaign began sending help desk-themed phishing emails to federal employees’ government and personal email addresses in mid-June 2022, according to CISA. These emails either contained a link to a “first-stage” malicious site that impersonated high-profile companies, including Microsoft and Amazon, or prompted the victim to call the hackers, who then tried to trick the employees into visiting the malicious domain.
These phishing emails led to the download of legitimate remote access software — ScreenConnect (now ConnectWise Control) and AnyDesk — which the unnamed hackers used as part of a refund scam to steal money from victims’ bank accounts. These self-hosted remote access tools can allow IT administrators near-instant access to an employee’s computer with minimal interaction from the user, but these have been abused by cybercriminals to launch convincing-looking scams.
In this case, and according to CISA, the cybercriminals used the remote access software to trick the employee into accessing their bank account. The hackers used their remote access to modify the recipient’s bank account summary. “The attackers used the remote access software to change the victim’s bank account summary information to show that they mistakenly refunded an excess amount of money, then instructed the victim to ‘refund’ this excess amount,” CISA said.
CISA warns that the attackers could also use legitimate remote access software as a backdoor for maintaining persistent access to government networks. “Although this specific activity appears to be financially motivated and targets individuals, the access could lead to additional malicious activity against the recipient’s organization — from both other cybercriminals and APT actors,” the advisory said.