26 January 2023

Hackers increasingly abusing RMM software for nefarious purposes


Hackers increasingly abusing RMM software for nefarious purposes

Threat actors are increasingly misusing legitimate remote monitoring and management (RMM) software to conduct phishing scams and other malicious activity, according to a joint security advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC).

According to the advisory, at least two federal agencies in the United States fell victim to a “widespread cyber campaign” where threat actors used phishing emails that led to download of legitimate RMM software, namely ScreenConnect (now ConnectWise Control) and AnyDesk, which was then used in a refund scam and subsequent theft of money from victim bank accounts.

CISA notes that this financially motivated phishing campaign is related to malicious typosquatting activity reported by Silent Push in October 2022.

While the observed attacks, which took place in mid-June and mid-September 2022, appear to be financially motivated, threat actors could weaponize the unauthorized access for other nefarious purposes, including selling that access to other hackers.

“Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional types of malicious activity. For example, the actors could sell victim account access to other cyber criminal or advanced persistent threat (APT) actors,” the security agencies said. “This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious cyber actors—from cybercriminals to nation-state sponsored APTs—are known to use legitimate RMM software as a backdoor for persistence and/or command and control (C2).”


Back to the list

Latest Posts

ShadowSyndicate ransomware group targeting Aiohttp flaw

ShadowSyndicate ransomware group targeting Aiohttp flaw

Organizations are urged to update to Aiohttp v3.9.
18 March 2024
The International Monetary Fund discloses cyberattack affecting 11 email accounts

The International Monetary Fund discloses cyberattack affecting 11 email accounts

The organization did not share any additional details regarding the nature of the attack.
18 March 2024
E-Root Marketplace operator sentenced to 3.5 years in prison

E-Root Marketplace operator sentenced to 3.5 years in prison

It is estimated that over 350,000 compromised credentials were listed for sale on the E-Root Marketplace.
18 March 2024