The U.S. government’s cybersecurity agency has warned that criminal financially motivated hackers compromised federal agencies using legitimate remote desktop software.
CISA said in a joint advisory with the National Security Agency on Wednesday that it had identified a “widespread cyber campaign involving the malicious use of legitimate remote monitoring and management (RMM) software” that had targeted multiple federal civilian executive branch agencies — known as FCEBs — a list that includes Homeland Security, the Treasury and the Justice Department.
CISA said it first identified suspected malicious activity on two FCEB systems in October while conducting a retrospective analysis using Einstein, a government-operated intrusion detection system used for protecting federal civilian agency networks. Further analysis led to the conclusion that many other government networks were also affected.
CISA linked this activity to a financially motivated phishing campaign first uncovered by threat intelligence firm Silent Push. But CISA did not name the affected FCEB agencies — and did not respond to TechCrunch’s questions.
The unnamed attackers behind this campaign began sending help desk-themed phishing emails to federal employees’ government and personal email addresses in mid-June 2022, according to CISA. These emails either contained a link to a “first-stage” malicious site that impersonated high-profile companies, including Microsoft and Amazon, or prompted the victim to call the hackers, who then tried to trick the employees into visiting the malicious domain.
These phishing emails led to the download of legitimate remote access software — ScreenConnect (now ConnectWise Control) and AnyDesk — which the unnamed hackers used as part of a refund scam to steal money from victims’ bank accounts. These self-hosted remote access tools can allow IT administrators near-instant access to an employee’s computer with minimal interaction from the user, but these have been abused by cybercriminals to launch convincing-looking scams.
In this case, and according to CISA, the cybercriminals used the remote access software to trick the employee into accessing their bank account. The hackers used their remote access to modify the recipient’s bank account summary. “The attackers used the remote access software to change the victim’s bank account summary information to show that they mistakenly refunded an excess amount of money, then instructed the victim to ‘refund’ this excess amount,” CISA said.
CISA warns that the attackers could also use legitimate remote access software as a backdoor for maintaining persistent access to government networks. “Although this specific activity appears to be financially motivated and targets individuals, the access could lead to additional malicious activity against the recipient’s organization — from both other cybercriminals and APT actors,” the advisory said.
https://techcrunch.com/
Victims of the MegaCortex ransomware can now recover their encrypted files for free, thanks to the release of a new file decryptor. The free decryptor was built by cybersecurity firm Bitdefender and the EU’s No More Ransom initiative in cooperation with the Zürich Cantonal Police, the Zürich Public Prosecutor’s Office and Europol, which in September […]
EVERY DAY, BILLIONS of people use the GPS satellite system to find their way around the world—but GPS signals are vulnerable. Jamming and spoofing attacks can cripple GPS connections entirely or make something appear in the wrong location, causing disruption and safety issues. Just ask Russia. New data analysis reveals that multiple major Russian cities […]
LastPass’ parent company GoTo — formerly LogMeIn — has confirmed that cybercriminals stole customers’ encrypted backups during a recent breach of its systems. The breach was first confirmed by LastPass on November 30. At the time, LastPass chief executive Karim Toubba said an “unauthorized party” had gained access to some customers’ information stored in a third-party cloud service shared […]
Leave a Reply