Threat actors are increasingly misusing legitimate remote monitoring and management (RMM) software to conduct phishing scams and other malicious activity, according to a joint security advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC).

According to the advisory, at least two federal agencies in the United States fell victim to a “widespread cyber campaign” where threat actors used phishing emails that led to download of legitimate RMM software, namely ScreenConnect (now ConnectWise Control) and AnyDesk, which was then used in a refund scam and subsequent theft of money from victim bank accounts.

CISA notes that this financially motivated phishing campaign is related to malicious typosquatting activity reported by Silent Push in October 2022.

While the observed attacks, which took place in mid-June and mid-September 2022, appear to be financially motivated, threat actors could weaponize the unauthorized access for other nefarious purposes, including selling that access to other hackers.

“Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional types of malicious activity. For example, the actors could sell victim account access to other cyber criminal or advanced persistent threat (APT) actors,” the security agencies said. “This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious cyber actors—from cybercriminals to nation-state sponsored APTs—are known to use legitimate RMM software as a backdoor for persistence and/or command and control (C2).”