Hackers Use Legitimate RMM Software to Steal from Federal Employees

A new joint cybersecurity advisory warns of cybercriminals’ malicious use of legitimate remote monitoring and management (RMM) software.

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released the advisory. Several federal civilian executive branch (FCEB) agencies fell victim to a financially motivated phishing campaign.

In October, CISA identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, threat actors sent phishing emails that led to the download of legitimate RMM software – ScreenConnect (now ConnectWise Control) and AnyDesk – which they used in a refund scam to steal money from victim bank accounts.

As of last June, CISA has observed threat actors sending help desk-themed phishing emails to FCEB staff’s personal and government email addresses.

After downloading the RMM software, threat actors typically use it to initiate a refund scam. They convince the target to log into their bank account while still connected to the system.

Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional types of malicious activity. For example, the actors could sell victim account access to other cybercriminal or advanced persistent threat (APT) actors.

Campaign Highlights Threats Associated with RMM Software

This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software. After gaining access to the target network via phishing or other techniques, malicious cyber actors, from cybercriminals to nation-state sponsored APTs, are known to use legitimate RMM software as a backdoor for persistence and/or command and control.

Using portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation. They effectively bypass common software controls and risk management assumptions.

Michael Jenkins, ThreatLocker‘s CTO, said the weaponization of RMMs has been an ongoing theme in recent times.

ThreatLocker’s Michael Jenkins

“RMM is the foundation of business operations for MSPs and IT help desks, giving administrators the functionality of remote access, remote patching, installing software and overall maintenance,” he said. “As it is such a vital business tool for IT professionals, RMMs have access to a tremendous amount of data. Hackers manipulating these tools will be like handing the keys to the kingdom or your organization.”

Modern-day attacks on RMMs have caused “insurmountable” losses for SMBs, possibly crippling the company as they suffer from more extended downtime than larger enterprises, Jenkins said.

“Most importantly, it is a loss of trust and confidence from the end-user,” he said. “To defend against the manipulations of RMMs and other supply chain attacks, IT administrators should utilize a zero trust model as a baseline in their cybersecurity offerings.”

Using RMM Software Reduces Hackers’ Risk

Patrick Tiquet is Keeper Security‘s vice president of security and architecture. He said cybercriminals reduce their risk of discovery when using legitimate software such as RMM that may have already been installed on the victim’s device.

Keeper Security’s Patrick Tiquet

“Using portable executables provides a way for these bad actors to establish local user access without the need for administrative privilege or full software installation,” he said. “A malicious attack that’s launched through legitimate software bypasses common software controls and creates fewer new files that detection tools would catch.”

These government employees likely focused on the “pinstripes” of the email, such as the logo or colors of a legitimate site, to lure them into clicking, and thus executing the malicious download of RMM software, Tiquet said.

“Portable executables of this legitimate software were used to steal money from the victims,” he said. “However, the access provided through this scheme also puts these organizations at risk of additional malicious activity as well. Government network defenders should review the indicators of compromise and apply CISA’s mitigation recommendations immediately. And all organizations should be aware and on the lookout for this type of phishing scheme. It’s equally important to train employees how to identify suspicious phishing emails or smishing text messages that seek to install malware into critical systems, prevent user access and steal sensitive data.”

Thwarting Social Engineering

Erfan Shadabi is head of marketing at Comforte AG, a data security provider.

Comforte’s Erfan Shadabi

“All it takes is one moment of inattention or gullibility, and the threat actor carrying out social engineering techniques is one step closer to the ultimate goal,” he said. “Organizations can do two things. One, build an organizational culture that values data privacy and encourages employees to slow down and consider all of the ramifications before acting on requests for sensitive information. If business leaders can get behind initiatives that help employees take the time to do the right thing, then the culture of data privacy and data security will be that much stronger. Two, IT leaders can consider data-centric security as a means to protect sensitive data rather than the perimeters around data.”

Tokenization, for example, doesn’t just make sensitive data elements incomprehensible, Shadabi said. It also preserves data format so business applications and users can still work with the data in protected states.

“If you never de-protect data, chances are that even if it falls into the wrong hands, the sensitive information cannot be compromised,” he said.