At least two federal agencies in the U.S. fell victim to a “widespread cyber campaign” that involved the use of legitimate remote monitoring and management (RMM) software to perpetuate a phishing scam.
“Specifically, cyber criminal actors sent phishing emails that led to the download of legitimate RMM software – ScreenConnect (now ConnectWise Control) and AnyDesk – which the actors used in a refund scam to steal money from victim bank accounts,” U.S. cybersecurity authorities said.
The joint advisory comes from the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC).
The attacks, which took place in mid-June and mid-September 2022, have financial motivations, although threat actors could weaponize the unauthorized access for conducting a wide range of activities, including selling that access to other hacking crews.
Usage of remote software by criminal groups has long been a concern as it offers an effective pathway to establish local user access on a host without the need for elevating privileges or obtaining a foothold by other means.
