Attackers use portable executables of remote management software to great effect
Tricking users at targeted organizations into installing legitimate remote monitoring and management (RMM) software has become a familiar pattern employed by financially motivated attackers.
No organization is spared, not even agencies of the US federal civilian executive branch – as the Cybersecurity and Infrastructure Security Agency (CISA) warned on Wednesday.
Attackers’ modus operandi
“In October 2022, CISA identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, cyber criminal actors sent phishing emails that led to the download of legitimate RMM software—ScreenConnect (now ConnectWise Control) and AnyDesk—which the actors used in a refund scam to steal money from victim bank accounts,” the agency shared.
After discovering the maliciously installed software on a system at one of the FCEB agencies, CISA went searching for and found more thusly compromised systems at other agencies.
The phishing emails are help desk-themed – e.g., impersonate the Geek Squad or GeekSupport – and “threaten” the recipient with the renewal of a pricy service/subscription. The goal is to get the recipient to call a specific phone number manned by the attackers, who then try to convince the target to install the remote management software.
“CISA noted that the actors did not install downloaded RMM clients on the compromised host. Instead, the actors downloaded AnyDesk and ScreenConnect as self-contained, portable executables configured to connect to the actor’s RMM server,” the agency explained.
“Portable executables launch within the user’s context without installation. Because portable executables do not require administrator privileges, they can allow execution of unapproved software even if a risk management control may be in place to audit or block the same software’s installation on the network. Threat actors can leverage a portable executable with local user rights to attack other vulnerable machines within the local intranet or establish long term persistent access as a local user service.”
RMM software also doesn’t usually trigger antivirus or anti-malware solutions on endpoints.
Potential targets and risk mitigation advice
In the campaign found by CISA the actors used the RMM software to initiate a refund scam, but they could just as easily do other things with the achieved access. For example, they could use it to try to gain access to other systems on the same network, or simply sell victim account access to ransomware gangs or APT actors.
And while any organization can make a good target, managed service providers (MSPs) and IT help desks make the best, as they use RMM software to remotely (and legitimately!) interact with customer systems.
“These threat actors can exploit trust relationships in MSP networks and gain access to a large number of the victim MSP’s customers. MSP compromises can introduce significant risk—such as ransomware and cyber espionage—to the MSP’s customers,” CISA added.
The agency has shared indicators of compromise anyone can use to search for evidence of a successful attack on their systems, and has offered advice for network defenders on how to minimize this particular risk.