CISA Alert AA23-025A – Protecting against malicious use of remote monitoring and management software

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Three tack Zero Two Five Alpha.

Original release date: January twenty fifth, 2023.

CISA, NSA, and the MS-ISAC (pronounced “M S eye-sack”) are releasing this alert to warn network defenders about malicious use of legitimate remote monitoring and management software. In October 2022, CISA identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, cyber criminal actors sent phishing emails that led to the download of legitimate RMM software—ScreenConnect, now named ConnectWise Control, and AnyDesk—which the actors used in a refund scam to steal money from victim bank accounts.

Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional types of malicious activity. For example, the actors could sell victim account access to other cyber criminal or APT actors. This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious cyber actors are known to use legitimate RMM software as a backdoor for persistence and command and control.

Using portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation—effectively bypassing common software controls and risk management assumptions.

The alert documentation linked in the show notes includes indicators of compromise, TTPs, and mitigation actions. CISA and NSA strongly encourage network defenders to review the Indicators of Compromise and Mitigations sections in this alert and apply the recommendations to protect against malicious use of legitimate RMM software.

To report incidents and anomalous activity or to request incident response resources or technical assistance, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.