CISA: Phishing campaign targeting US federal agencies went undetected for months
Threat actors used legitimate remote access software to maliciously target federal employees
The US' Cybersecurity and Infrastructure Security Agency (CISA) has revealed that several federal civilian executive branch (FCEB) agencies have fallen victim to a widespread phishing campaign.
The campaign abused legitimate remote monitoring and management (RMM) software and emails were sent to staff starting in the middle of 2022. The majority were themed around helpdesk emails falsely notifying victims that they had been sent an accidental refund, or needed to cancel a subscription.
Links included in the emails led to a first-stage malicious domain which would launch an executable that connected to a second-stage domain that downloaded an RMM program.
CISA said threat actors would remotely monitor the victim’s screen and instruct them to access their bank account, then alter the balance to make it seem as though the victim had been sent money. They would then instruct for the 'excess' amount to be sent back to an account set up for the scam.
Although the agency did not provide specifics on the scam, its description bears a strong resemblance to the methods used prevalently by online scammers targeting vulnerable civilians.
Often claiming to be calling from tech support at a large company, such as Microsoft, they would block the victim's view of their display using the RMM tools and use a browser's 'inspect element' function to make the bank balance appear as though it had changed.
According to CISA's account, the threat actors used AnyDesk and ScreenConnect as portable executables, which can run without administrator privileges and are not flagged as malicious by antivirus programs or malware removal tools.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
This allowed the software to run without being approved by network administrators at the affected agencies, and could have facilitated an attack on devices that shared an intranet with that of the victim.
Another method saw threat actors send victims emails urging victims to call a phone number on similar financial pretences to the emails containing links. They would then be urged to manually navigate to one of the threat actors’ malicious domains.
In June 2022, one FCEB employee called the number and was given instructions to open a malicious domain on their device. At the time the CISA detected the campaign in October 2022, traffic was being sent and received between a compromised FCEB server and the malicious domain ‘myhelpcare[.]cc’.
"Targets can include managed service providers (MSPs) and IT help desks, which regularly use legitimate RMM software for technical and security end-user support, network management, endpoint monitoring, and to interact remotely with hosts for IT-support functions," the CISA said.
"These threat actors can exploit trust relationships in MSP networks and gain access to a large number of the victim MSP's customers. MSP compromises can introduce significant risk - such as ransomware and cyber espionage - to the MSP’s customers."
The CISA has urged organisations to follow best practices for blocking phishing emails, and train employees to recognise techniques used by social engineers.
It has additionally recommended the use of enhanced application controls to prevent the installation and execution of portable unauthorised RMM software, and for RMM ports to be blocked at network perimeters.
In an advisory, the CISA noted that the threat actors behind the campaign appear to have run it for profit only but that similar techniques could be used by threat actors for significant harm.
2022 Magic quadrant for Security Information and Event Management (SIEM)
SIEM is evolving into a security platform with multiple features and deployment models
The CISA, National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) SAID that threat actors could have sold remote access to victim accounts to more dangerous groups such as advanced persistent threat actors (APTs).
The agencies also warned that the attacks prove the potential for legitimate RMM programs to be used by threat actors to seize control of devices remotely, and bypass administrator controls to launch malware operations.
“In October, CISA identified a widespread cyber campaign in which cyber criminal actors leveraged RMM software to gain command and control of devices and accounts,” said the NSA in its press release.
“Malicious cyber actors could leverage these same techniques to target National Security Systems (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) networks and use legitimate RMM software on both work and home devices and accounts. Other RMM software solutions could be abused to similar effect.”
Over the past 12 months, the CISA has enacted strong, government-wide policies to strengthen the nation's cyber security posture. A notable example from the past year, was the bill that passed in August outlawing software containing any vulnerabilities to ensure secure-by-design federal systems.
In November 2021, it also launched a 'mandatory patch list' for FCEB agencies to abide by. This was comprised of the most dangerous and commonly exploited security vulnerabilities, complete with deadlines for each agency by which to apply the patches.
Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.