Behind the Hack: How a remote monitoring software scam fooled federal employees

In October 2022, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) uncovered a large-scale campaign of cyber intrusion and theft which relied upon the “malicious use of legitimate remote monitoring and management (RMM) software.” Cybercriminals sent federal employees at two agencies phishing emails that informed them of a fake pending payment for IT services. These messages contained a phone number that urged them to visit a fraudulent domain, from which they downloaded malicious RMM software.
This attack was yet another example of how cybercriminals lure their victims into providing access to critical systems and networks – as well as a reminder of the value of cybersecurity awareness training (CSAT). CISA posted a screenshot of one of the emails, which contained a long list of red flags that a trained employee would have been capable of identifying:

The emails were crammed with grammatical errors, randomly capitalized and missing words, broken sentences, and many other mistakes. Cyber-aware employees are always on the lookout for evidence that a message wasn’t crafted by a legitimate company, and the email shared by CISA was rife with warning signs.
Another cause for alarm was the coercive nature of the message, which stated that victims only had 24 hours to cancel their subscriptions if they wanted to avoid a $400 charge. Employees should automatically be suspicious when an interlocutor tells them to transfer money, provide access, or do anything else immediately.
Instead of using the phone number provided in the email to contact a fake customer service operation, the employees could have looked up the legitimate corporate website and used the number posted there. Employees should always cross-check the information in an email with what they can find on legitimate websites.

 
CISA reports that suspicious activity was detected on many other government networks and that the attack was “part of a widespread, financially motivated phishing campaign.” The threat intelligence team at Silent Push recently discovered an “entire network of threat activity, masquerading as numerous global brand names and infecting machines with a malicious file disguised as a remote monitoring tool.” These brand names include Amazon, Microsoft, Geek Squad, McAfee, Norton, and Paypal. According to CISA, the cyberattack on federal agencies is related to this campaign.

Remote Monitoring Intrusions a Growing Trend

The spate of recent RMM intrusions demonstrates that cybercriminals are continuing to use social engineering in their most sophisticated and destructive cyberattacks. CISA highlights how social engineering was integral to the infiltration of the federal government: “After gaining access to the target network via phishing or other techniques, malicious cyber actors … are known to use legitimate RMM software as a backdoor for persistence and/or command and control.” At a time when phishing attacks are surging and 82 percent of data breaches involve a human element, effective CSAT is becoming more essential to block these types of attacks.
Over the past several years, NINJIO has built an extensive library of cybersecurity awareness content that addresses the vulnerabilities that cybercriminals are continuing to exploit with devastating consequences. For example, NINJIO episodes have covered phishing at length – such as spear phishing attacks in which cybercriminals impersonate trusted contacts to convince victims to disclose sensitive information. Spear phishing is the topic of many NINJIO episodes, including “The Playbook”, “Homephished”, “Voicemail Fail”, and “A Terminal Mistake”. Although these episodes cover many aspects of phishing, they share a common theme: employees can prevent these attacks by identifying suspicious behavior, contacting legitimate sources of information, and proactively reporting incidents to their security teams.

It’s All Phishing in the End

It’s no surprise that there are more victims of phishing than any other type of cybercrime – phishing is an indispensable aspect of many cyberattacks, as it can facilitate the direct theft of information and provide a gateway to larger breaches. Phishing also intersects with many other cyberthreats, such as ransomware – to gain the initial access that allows cybercriminals to hold data hostage, they often rely on phishing. The most recent Verizon Data Breach Investigations Report tracked a 13 percent year-over-year increase in ransomware attacks. Several NINJIO episodes focus on ransomware as well, such as “Cliffhanger”, “Plug and Play”, and “Ransomware is Everywhere”.
The use of remote monitoring and management software to attack the federal government is a reminder that cybercriminals are always hatching new schemes to infiltrate secure systems, disrupt operations, and steal sensitive information. But their reliance on phishing and other forms of social engineering demonstrates that the cybersecurity principles reinforced by CSAT content continue to be the most effective way to prevent cyberattacks. As long as employees are on the front lines of these attacks, CSAT will be the most valuable tool companies and other organizations have to keep themselves safe.