The U.S. government’s cybersecurity agency has warned that criminal financially motivated hackers compromised federal agencies using legitimate remote desktop software.
CISA said in a joint advisory with the National Security Agency on Wednesday that it had identified a “widespread cyber campaign involving the malicious use of legitimate remote monitoring and management (RMM) software” that had targeted multiple federal civilian executive branch agencies — known as FCEBs — a list that includes Homeland Security, the Treasury and the Justice Department.
CISA said it first identified suspected malicious activity on two FCEB systems in October while conducting a retrospective analysis using Einstein, a government-operated intrusion detection system used for protecting federal civilian agency networks. Further analysis led to the conclusion that many other government networks were also affected.
CISA linked this activity to a financially motivated phishing campaign first uncovered by threat intelligence firm Silent Push. But CISA did not name the affected FCEB agencies — and did not respond to TechCrunch’s questions.
The unnamed attackers behind this campaign began sending help desk-themed phishing emails to federal employees’ government and personal email addresses in mid-June 2022, according to CISA. These emails either contained a link to a “first-stage” malicious site that impersonated high-profile companies, including Microsoft and Amazon, or prompted the victim to call the hackers, who then tried to trick the employees into visiting the malicious domain.
These phishing emails led to the download of legitimate remote access software — ScreenConnect (now ConnectWise Control) and AnyDesk — which the unnamed hackers used as part of a refund scam to steal money from victims’ bank accounts. These self-hosted remote access tools can allow IT administrators near-instant access to an employee’s computer with minimal interaction from the user, but these have been abused by cybercriminals to launch convincing-looking scams.
In this case, and according to CISA, the cybercriminals used the remote access software to trick the employee into accessing their bank account. The hackers used their remote access to modify the recipient’s bank account summary. “The attackers used the remote access software to change the victim’s bank account summary information to show that they mistakenly refunded an excess amount of money, then instructed the victim to ‘refund’ this excess amount,” CISA said.
CISA warns that the attackers could also use legitimate remote access software as a backdoor for maintaining persistent access to government networks. “Although this specific activity appears to be financially motivated and targets individuals, the access could lead to additional malicious activity against the recipient’s organization — from both other cybercriminals and APT actors,” the advisory said.
https://techcrunch.com/
LastPass’ parent company GoTo — formerly LogMeIn — has confirmed that cybercriminals stole customers’ encrypted backups during a recent breach of its systems. The breach was first confirmed by LastPass on November 30. At the time, LastPass chief executive Karim Toubba said an “unauthorized party” had gained access to some customers’ information stored in a third-party cloud service shared […]
Ion Group, a Dublin-based software company that helps financial institutions automate their critical business processes, has been hit by a ransomware attack that forced several European and U.S. banks to revert to manual processes. The cyberattack, which TechCrunch learned about on Tuesday, affected Ion’s Cleared Derivatives division, which provides software for automating the trading lifecycle and the […]
THE THREAT OF Facebook account takeovers always looms, whether they’re caused by attacks that steal users’ login credentials or hacks that, say, compromise users’ email accounts and exploit the access to launch rogue account recoveries. At the same time, though, Facebook users need to be able to regain access to their accounts if they forget […]
Leave a Reply