In a joint cybersecurity advisory, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) warn that threat actors used legitimate remote monitoring and management software to gain access to the networks of multiple federal civilian executive branch agencies. The advisory includes technical details, indicators of compromise, and recommended mitigations.
Note
- This is even more difficult to detect if the attacker does not install any new software, but uses existing remote control software on the host. Access to these tools needs to be monitored. Make sure you are not instrumenting your network with “attack tools”. This also reminds me a bit of the old days when attackers used console servers to bypass organization’s perimeter security stacks.
- A few years ago in the SANS annual threat report, SANS highlighted “Living Off the Land” attacks where both OS capabilities (like remote desktop) and installed software tools were used by bad guys to facilitate attacks and evade detection. The campaign discussed is a good illustration and a good one to use in security awareness material – there are lot of chances for a user to say, “wait a minute…” and click X in the upper right corner – and, ideally, report a phishing attempt to security using the convenient menu bar item you have provided for them.
- I have a person I work with in their 70s that fell for a phishing scam using RMM like this on their iPhone. The first alarming part I found is that AnyDesk could be used on an iPhone, which I had no idea was a thing. The second part of that conversation was that they fell for it because, according to them (unconfirmed), Apple support also used AnyDesk a few weeks before to troubleshoot their device. That felt a bit alarming. Be very careful to explain to friends and family that internet-based remote control is dangerous.
- The CISA article includes IOCs for your threat hunters to follow up on. Yes, this is a social engineering attack, tricking users into installing remote management software and a refund scam to get access to user’s systems and bank accounts. You should be checking for installations of any remote management software. Take this scenario to your training team to make sure they have this type of social engineering covered, and that people are training regularly. Remember, after 4-6 months, retention fades.
- A slightly different spin on Living off the Land Attacks. It starts first with a specially crafted phishing/smishing/vishing message that lures the unsuspecting victim to visit a malicious domain. While user training on phishing attacks is now part of annual security awareness training, some attacks will still get through. Proper configuration, patch, and network management are still highly important to limit attacker success.
Read more in