Federal agencies infested by cyberattackers via legit remote-management systems

It has come to light that hackers cleverly utilized two off-the-shelf remote monitoring and management systems (RMMs) to breach multiple Federal Civilian Executive Branch (FCEB) agency networks in the US last summer.

On Jan. 25, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint advisory detailing the attacks, warning the cybersecurity community about the malicious use of commercial RMM software, and offering mitigations and indicators of compromise to watch out for.

IT service providers use RMMs to remotely monitor and manage clients’ networks and endpoints. But hackers can use the same software to bypass typical software control policies and authorization requirements on victim computers — as the US government found out.

How Hackers Breached the Government With RMMs

Last October, CISA conducted a retrospective analysis of Einstein — its intrusion detection system, deployed across FCEB agencies. The researchers found, perhaps, more than they’d bargained for.

In mid-June last year, hackers sent a phishing email to an FCEB employee’s government address. The email prompted the employee to call a phone number. Calling the number prompted them to visit a malicious Web address: “myhelpcare.online.”

Visiting the domain triggered the download of an executable, which then connected to a second domain, which is where two RMMs — AnyDesk and ScreenConnect (now ConnectWise Control) — came into play. The second domain didn’t actually install AnyDesk and ScreenConnect clients onto the target’s machine. Instead, it went backward: downloading the programs as self-contained, portable executables, configured to connect back to the threat actor’s server.

Why does this matter? “Because,” the authoring organizations explained, “portable executables do not require administrator privileges, they can allow execution of unapproved software even if a risk management control may be in place to audit or block the same software’s installation on the network.”

Having made a mockery of admin privileges and software controls, the threat actors could then use the executable “to attack other vulnerable machines within the local intranet or establish long term persistent access as a local user service.”

It turns out, though, that the June compromise was merely the tip of an iceberg. Three months later, traffic was observed between a different FCEB network and a similar domain — “myhelpcare.cc” — and further analysis, the authors recalled, “identified related activity on many other FCEB networks.”

Despite targeting government employees, the attackers appear to have been financially motivated. After connecting to target machines, they enticed victims to log in to their bank accounts, then “used their access through the RMM software to modify the recipient’s bank account summary,” the authors wrote. “The falsely modified bank account summary showed the recipient was mistakenly refunded an excess amount of money. The actors then instructed the recipient to ‘refund’ this excess amount to the scam operator.”

To read the complete article, visit Dark Reading.