CyberWire Daily - CISA Alert AA23-025A – Protecting against malicious use of remote monitoring and management software. [CISA Cybersecurity Alerts]
Episode Date: January 26, 2023CISA, NSA, and the MS-ISAC are releasing this alert to warn network defenders about malicious use of legitimate remote monitoring and management software. AA23-025A Alert, Technical Details, and Mit...igations For a downloadable copy of IOCs, see AA23-025.stix Silent Push uncovers a large trojan operation featuring Amazon, Microsoft, Geek Squad, McAfee, Norton, and Paypal domains No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered 25th, 2023.
CISA, NSA, and the MS-ISAC are releasing this alert to warn network defenders about malicious use of legitimate remote monitoring and management software.
In October 2022, CISA identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, cyber criminal actors sent phishing emails that led to the download of legitimate
RMM software, Screen Connect, now named ConnectWise Control, and AnyDesk, which the actors used
in a refund scam to steal money from victim bank accounts.
Although this campaign appears financially motivated, the authoring organizations assess
it could lead to additional types of malicious activity.
For example, the actors could sell victim account access to other cybercriminal or APT actors.
This campaign highlights the threat of malicious cyberactivity associated with legitimate RMM software.
After gaining access to the target network via phishing or other techniques,
malicious cyberactors are known to use legitimate RMM software as a backdoor for persistence and command and control.
are known to use legitimate RMM software as a backdoor for persistence and command and control.
Using portable executables of RMM software
provides a way for actors to establish local user access
without the need for administrative privilege
and full software installation,
effectively bypassing common software controls
and risk management assumptions.
The alert documentation linked in the show notes
includes indicators of compromise,
TTPs, and mitigation actions.
CISA and NSA strongly encourage network defenders to review the indicators of compromise and mitigations sections in this alert
and apply the recommendations to protect against malicious use of legitimate RMM software.
To report incidents and anomalous activity, or to request incident response resources or technical assistance,
or to request incident response resources or technical assistance,
contact CISA at report at cisa.gov or call 888-282-0870 or report incidents to your local FBI field office.
This report was written by CISA,
the United States Cybersecurity and Infrastructure Security Agency,
and edited and adapted for audio by The Cyber Wire as a public service.
Please visit www.cisa.gov to read the full report, which may
include additional details, links, and illustrations. A link to this report can be found in the show notes.
This has been a CISA Cybersecurity Alert. alert.