US federal agencies hacked using legitimate software – CISA

Attackers used legitimate remote monitoring and management software to empty employee bank accounts, the US cyber watchdog warned.

The Cybersecurity and Infrastructure Security Agency (CISA) identified a “widespread cyber campaign” that heavily relied on remote monitoring and management (RMM) software.

According to CISA, attackers sent victims malicious links that led to the download of ScreenConnect and AnyDesk software. Threat actors later used the software in a refund scam to steal money from victims’ bank accounts.

While the attackers appeared financially motivated, CISA fears threat actors could sell victim data to state-sponsored attackers or other cybercriminals.

“Using portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation—effectively bypassing common software controls and risk management assumptions,” CISA said.

The agency first noted suspected malicious activity on two federal civilian executive branch (FCEB) systems. Further analysis led to the conclusion that many other FCEB networks are also affected.

Attackers sent phishing emails to FCEB federal staff’s personal and government addresses with links to malicious domains. The email said that if the victims don’t contact the senders via email, their service “subscription” worth $400 will automatically renew.

To avoid the fictitious “renewal,” victims were prompted to contact the cybercriminals. This led victims to download legitimate RMM software that was supposedly necessary to avoid renewing the subscription.

“In this campaign, after downloading the RMM software, the actors used the software to initiate a refund scam. They first connected to the recipient’s system and enticed the recipient to log into their bank account while remaining connected to the system,” CISA said.

According to the agency, threat actors used RMM access to modify the victim’s bank account summary to show that the victim supposedly received money from the fictitious service provider. Threat actors then instructed to transfer the “unintentional refund” to the scam operator.