Hackers Using Legit Remote Desktop Tools to Hack

CISA, NSA and MS-ISAC issued an advisory today that hackers are increasingly using legitimate remote monitoring and management (RMM) software for malicious purposes.

CISA also says that they discovered active malicious activity within multiple federal agencies using their EINSTEIN intrusion detection system after they were alerted by a report from threat intelligence firm Silent Push, in October.

The attackers are phishing and are financially motivated, says CISA and was first detected on a single network in September and then multiple networks more recently.

The attackers began by sending help-desk themed emails as early as last June. The attack either points to a malicious domain or tries to get the victim to call the attacker. Often these are done using fake “invoices” or subscriptions, in an email that tells the victim to call a number, otherwise they will be billed, usually several hundred dollars.

Callback phishing scams have grown by over 600 percent in the last two years.

Once they hook the victim, they get them to go to some web site which requires them to install malicious software in order to get the refund.

Now that this is public, expect the attackers to increase their attack velocity before the word gets out — that is where your organization gets involved.

The best solution to this attack is a combination of training, tools and vigilence.

If you need help with this, please reach out to us.

Credit: Bleeping Computer