Last summer, several Federal Civilian Executive Branch (FCEB) agencies were breached across several states of the US through a clever hacking operation that employed two off-the-shelf remote monitoring and management systems (RMMs).
A joint advisory was released on Jan. 25, 2013, by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC). This joint advisory shed light on the attacks in detail. It also warned the cybersecurity community of the misuse of commercial RMM software. It also provided mitigation strategies as well as indicators of potential compromise.
To monitor and manage client networks and endpoints remotely, IT service providers use Remote Monitoring and Management tools (RMMs). According to the US government, hackers can bypass typical software control policies on victim computers using the same software to evade authorization requirements.
Hackers Used RMMs to Breach the Government's Security
As part of its retrospective analysis of Einstein, a system CISA deploys across its FCEB agencies that detects intrusions, CISA conducted this scenario last October. There may have been more to the research than the researchers had expected.
There was a phishing email sent to the government email address of an employee of FCEB in mid-June last year by hackers. The email provided a phone number that needed to be called in response to the email. They were instructed to visit the website www.myhelpcare.online when calling the number, it prompted them to visit a malicious website.
By visiting this domain, an executable was downloaded, which was then used to connect to a second domain through Internet Protocol (IP), where two Remote Management Managers (RMMs) - AnyDesk and ScreenConnect (now ConnectWise Control) - got involved. In the case of the second domain, NoneDesk and ScreenConnect were not installed on the target computer.
Compared to the number of standalone programs that were downloaded, a much higher proportion were downloaded as self-contained, portable executables which were configured to connect back to the servers of the threat actors, rather than downloadable as standalone files.
Why is this significant? What are the implications of this? It is pertinent to note that the authoring organizations have explained that portable executables do not require administrator privileges, so they can be used in settings where a risk management control may be in place to audit or block the installation of an unapproved program on a network even if the program has not been approved by the corporate IT department.
By taking advantage of the compromised software controls and admin privileges, the threat actors would have a chance to take advantage of other vulnerable machines within the local intranet or use the executable to establish long-term persistent access as a local user service.
The June compromise, however, appears to have just been the tip of the iceberg when it comes to issues of the future. There was further analysis of the traffic between a different FCEB network, "my help is .cc," and a similar domain - "my help is cc," which three months later led to another FCEB network being observed and the authors recall that further analysis revealed related activity involving other FCEB networks as well.
There is no doubt that the attackers were motivated financially, although they targeted government employees. Using RMM software, the attackers connected to targets' computers and enticed victims to log into their bank accounts to monitor their balances. The authors exploited their access to modify the summaries of the recipient's bank accounts through RMM software. The actors then instructed the recipient to 'refund' this excess amount to the scam operator by returning it to the bank account summary. This showed that the recipient had mistakenly refunded an excess amount of money.
