The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, and Multi-State Information Sharing and Analysis Center have released a joint advisory warning network defenders about the malicious use of legitimate remote monitoring and management (RMM) software against government employees to steal banking credentials.
In October 2022, CISA identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, criminal actors sent phishing emails that led to the download of legitimate RMM software which the actors used in a refund scam to steal money from victim bank accounts.
In one technique, the actors sent an email that mimicked legitimate brands with a link to an actor-controlled website that provided an RMM install file pre-configured to connect to the actor’s servers. In another, they provided a phone number to call in the email, and upon calling the number the victim would be directed to one of the malicious web sites.
In both cases, the actor would then deceive the victim into logging into bank accounts while the actor was monitoring their actions remotely via the RMM software. They could then manipulate what the victim was seeing on their screen to convince them they had received an excessive refund, that they would then be directed to “correct” by sending the actor money.
The authors of the advisory assess that this campaign could lead to additional types of malicious activity such as selling victim account access to other cybercriminals or advanced persistent threat actors. This highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious actors are known to use legitimate RMM software as a backdoor for persistence and/or command and control (C2).
Once the RMM software has been installed by the victim and the attacker has gained their trust, there is little that existing solutions can do to prevent the attacker from stealing the data they are targeting. That is why it’s crucial to prevent the attack from its earliest stages, in this case – and in many others – when the user attempts to visit the malicious web site in their browser.
What’s the Best Browser Security for Phishing Protection?
We built ConcealBrowse because we know that more and more of company’s employees are working and living inside the browser. Our advanced anti-phishing protection combined with our intelligent decision engine protects users from phishing attacks using a combination of intelligence and computer vision technology that identifies web sites mimicking real brands and blocking users from downloading files or entering their information on those sites. In this case, that means the RMM would never have been downloaded by the potential victims in the first place.
If you’d like to see how ConcealBrowse can protect your business against phishing and ransomware attacks with our advanced browser protection, try ConcealBrowse for free today.
Written by: Conceal Research Team