A joint cybersecurity advisory has warned network defenders in federal departments against a phishing scam. The scam involves using legitimate remote management and monitoring software, or RMM — like AnyDesk and ScreenConnect — to trick customers into paying refunds. The advisory brings into the limelight a much larger phishing campaign that Silent Push identified in October. In this campaign, threat actors typosquatted well-known brands — such as Amazon, Microsoft, Geek Squad, Norton, McAfee, and PayPal — to conduct refund scams.
Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) led the investigation into the helpdesk-themed phishing operation. This operation targeted Federal Civilian Executive Branch (FCEB) networks.
In the campaign, phishing emails prompted federal employees to download remote desktop malware tools from a malicious domain. Running the remote desktop malware, the criminals gained employees’ banking credentials. They then used these credentials to falsify their bank statements to reflect that the targeted employees owed refunds.
The joint advisory referring to the campaign read, “Since at least June 2022, cybercriminal actors have sent help desk-themed phishing emails to FCEB federal staff’s personal, and government email addresses. The emails either contain a link to a “first-stage” malicious domain or prompt the recipients to call the cybercriminals, who then try to convince the recipients to visit the first-stage malicious domain.”
Callback Phishing on the Rise
Callback phishing campaigns have increased by 625% for the Q1 2021 to Q2 2022 period. These campaigns involve email and calls instead of voice phishing (vishing). They usually regard an invoicing or fake subscription. Yet, despite the increase in callback phishing, it still is a distant second to standard email phishing. Standard email phishing is preferred for its convenience. This is because it doesn’t put the threat actors “on the spot” as they would be on a call.
That said, calls offer a threat actor the element of credibility, which may be lacking in the impersonal nature of an email. In addition, the emails formulated for this campaign turned out to be detailed and well-written — something that most phishing emails lack. Moreover, the email phishing attempts were targeted instead of the usual shoot-and-miss attempts.
Unlike normal phishing emails, callback phishing attacks don’t include a link to an attacker’s website. Instead, they use lures (such as high-priced subscription renewals) to get a target to call a dedicated number. Upon calling the number, the target is directed to a malicious website. Here, the target inadvertently downloads an executable file required to refund the renewal price. The executable file then connects to a second domain that prompts the download of the remote management software, using which bank statements are tampered with.
The reason behind using RMM software like AnyDesk and ScreenConnect is that these are self-contained, portable executables that don’t require administrator privileges.
Remote Management Toolkits — a Standard Attack Vector
RMM tools have become a standard attack vector for hijacking legitimate providers’ credibility. These also allow cybercriminals direct remote management access to the victims’ activities. Moreover, they’re easily deployed with just a few tweaks to the legitimate RMM software. A feature that makes RMM lethal in the hands of cybercriminals is their ability to bypass antiviruses undetected to launch command and control (C2) operations. Cybercriminals love using emails for their phishing campaigns because addresses are a cinch to obtain.
However, the most concerning aspect of the criminals’ use of RMM is its capability to target managed service providers (MSPs), allowing access to all their customers. Highlighting this concern, the advisory stated that “these threat actors can exploit trust relationships in MSP networks and gain access to a large number of the victim MSP’s customers. MSP compromises can introduce significant risk — such as ransomware and cyber espionage — to the MSP’s customers.”
Indicators of Compromise (IOCs)
Though the joint advisory has avoided naming specific federal networks breached in the campaign, it has listed indicators of compromise (IOCs) that could lead to the phishing scam. Following are the domains the advisory has explicitly listed:
Next, the advisory has stressed some recommendations against remote management penetrations. These include auditing remote management applications, barring employees from downloading executable files, and blocking inbound and outbound connections on standard RMM ports and protocols.
Besides these, companies can also consider the industry’s best practices for preventing such attacks. In that context, experts stress conducting routine employee awareness training programs on phishing and social engineering scams. Network administrators should visit the Silent Push page for a detailed analysis of the phishing campaign. The investigators have outlined the wider array of possible security vulnerabilities from such operations. This includes an extended list of IP addresses and malicious domains.
According to the investigators, the cybercriminals at the helm of this campaign were after financial gains from refund scams. But, if they’ve gathered more information, they could mount more sophisticated attacks. For example, they could encrypt company files and demand ransom or silently log and observe all information company employees put, including customer information.
Protection from Phishing Attacks
Ultimately, employee awareness training is the best defense against phishing attacks. Also, for an added security blanket, email spam filters detect and automatically block phishing emails, especially those with links to malicious domains. Regarding RMMs specifically, network administrators should have strict auditing standards in place to allow only authorized software and check logs to review any portable execution.
Experts advise extreme caution even when receiving emails from seemingly legitimate addresses. Cybercriminals could send spam content as HTML attachments, leading to malicious domains. All these are tactics cybercriminals use to convince unsuspecting users of their legitimacy.