Officials warn of cyber campaign using RMM software | HCLTech

Officials warn of cyber campaign using RMM software

Officials warn of cyber campaign using RMM software

Employees from at least two U.S. federal civilian agencies were hacked by cybercriminals last year as part of a fraud campaign focused on stealing money from individuals’ bank accounts
3 min. read
Jordan Smith
Jordan Smith
US Reporter, HCLTech
3 min. read
Officials warn of the cyber campaign using RMM software

U.S. cybersecurity officials are warning network defenders of a cyber campaign using legitimate remote monitoring and management (RMM) software to execute a phishing scam.

The “widespread cyber campaign” impacted at least two federal agencies, according to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). CISA warned network defenders of the malicious use of RMM software in a joint advisory with the National Security Agency and Multi-State Information Sharing and Analysis Center (MS-ISAC).

In the advisory, the authoring organizations outline that the cyber criminals sent phishing emails that led to a download for legitimate RMM software. The actors then used a refund scam to steal money from victim bank accounts.

“Using portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation—effectively bypassing common software controls and risk management assumptions,” the advisory states.

CISA had discovered the cyber activity in October 2022, but by that time, the hackers had been sending phishing emails to federal employees’ personal and government email accounts since June. Forensic analysis of the cyber campaign found related activity on many other federal networks in addition to the two initial agency victims.

Strengthening security with real-time insights for a global logistics company
Read case study

Protecting your network

The authoring organizations of the cyber advisory recommended that network defenders review Indicators of Compromise (IOCs) and Mitigations sections in the advisory and apply those recommendations to protect against malicious RMM software use.

Among those recommendations include: implementing best practices to block phishing emails, auditing remote access tools on your network to identify currently used and/or authorized RMM software and to use security software to detect instances of RMM software only being loaded in memory.

“As cyberattack vectors evolve, consumers and businesses alike need to make adjustments to stay ahead,” said EVP at HCLTech Amit Jain.

Adopting cyber frameworks to be adaptive and resilient can help businesses as the cyber landscape shifts. HCLTech’s Dynamic Cybersecurity model is a framework of governance and continual assessment to enable an adaptive and evolving posture while leveraging the best technologies. The model assists businesses in countering cyber risks effectively and helping organizations rethink, reimagine and reengineer enterprise security for a dynamic business.

Explore HCLTech in the news

Supercharging Progress

Supercharging Progress

Digital. Engineering. Cloud.

Share On

Latest analyst reports

Why we are the go-to partner for enterprises

Read more