The use of legitimate remote monitoring and management (RMM) tools among cybercriminals targeting government firms have gotten so widespread that US Federal law enforcement and intelligence agencies have been forced to issue a joint warning.
In their alert, the NSA, CISA, and MS-ISAC said they discovered malicious (opens in new tab) activity inside the networks belonging to “multiple federal civilian executive branch (FCEB) agencies”.
The organizations were prompted to do the analysis after cybersecurity researchers Silent Push published their report in October 2022. To do that, they deployed EINSTEIN – a federal civilian executive branch (FCEB)-wide intrusion detection system (IDS) operated and monitored by CISA, to analyze the state of the networks.
Fake help desk emails
What they found was linked to a “widespread, financially motivated phishing campaign” Silent Push had earlier referred to.
The crooks start by sending fake help desk phishing emails to email addresses belonging to people working for various government institutions.
“The authoring organizations assess that since at least June 2022, cyber criminal actors have sent help desk-themed phishing emails to FCEB federal staff’s personal, and government email addresses,” it says in the alert. “The emails either contain a link to a ‘first-stage’ malicious domain or prompt the recipients to call the cybercriminals, who then try to convince the recipients to visit the first-stage malicious domain.”
The goal of the campaign is to have the victims download RMM, in an attempt to refund the money accidentally paid for software (the victims never really paid for anything, but that’s part of the fraud scheme). Once they download and run the software, the crooks will try and get them to log into their bank accounts. If that happens, they find a way to steal the money.
“Although this specific activity appears to be financially motivated and targets individuals, the access could lead to additional malicious activity against the recipient’s organization—from both other cybercriminals and APT actors,” the organizations further stated.
“Malicious cyber actors could leverage these same techniques to target National Security Systems (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) networks and use legitimate RMM software on both work and home devices and accounts.”
Via: BleepingComputer (opens in new tab)
