US cybersecurity officials are warning network defenders of a cyber campaign using legitimate remote monitoring and management (RMM) software to execute a phishing scam.

The “widespread cyber campaign” impacted at least two federal agencies, according to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). CISA warned network defenders of the malicious use of RMM software in a joint advisory with the National Security Agency and Multi-State Information Sharing and Analysis Center (MS-ISAC).

In the advisory, the authoring organizations outline that the cyber criminals sent phishing emails that led to a download for legitimate RMM software. The actors then used a refund scam to steal money from victim bank accounts.

In the advisory, the authoring organizations outline that the cyber criminals sent phishing emails that led to a download for legitimate RMM software. The actors then used a refund scam to steal money from victim bank accounts.

“Using portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation—effectively bypassing common software controls and risk management assumptions,” the advisory states.

CISA had discovered the cyber activity in October 2022, but by that time, the hackers had been sending phishing emails to federal employees’ personal and government email accounts since June. Forensic analysis of the cyber campaign found related activity on many other federal networks in addition to the two initial agency victims.

Protecting your network

The authoring organizations of the cyber advisory recommended that network defenders review Indicators of Compromise (IOCs) and Mitigations sections in the advisory and apply those recommendations to protect against malicious RMM software use.

Among those recommendations include: implementing best practices to block phishing emails, auditing remote access tools on your network to identify currently used and/or authorized RMM software and to use security software to detect instances of RMM software only being loaded in memory.

“As cyberattack vectors evolve, consumers and businesses alike need to make adjustments to stay ahead,” said EVP at HCLTech Amit Jain.

Adopting cyber frameworks to be adaptive and resilient can help businesses as the cyber landscape shifts. HCLTech’s Dynamic Cybersecurity model is a framework of governance and continual assessment to enable an adaptive and evolving posture while leveraging the best technologies. The model assists businesses in countering cyber risks effectively and helping organizations rethink, reimagine and reengineer enterprise security for a dynamic business.