The use of legitimate remote monitoring and management tools has become so widespread among cybercriminals targeting government corporations that US federal law enforcement and intelligence agencies have had to issue a joint warning.
In their alert, NSA, CISA, and MS-ISAC said they had detected malware (Opens in a new tab) Activity within networks belonging to the Multiple Federal Civil Executive Branch (FCEB) agencies.
The organizations were asked to perform the analysis after Silent Push cybersecurity researchers published their report in October 2022. To do so, they deployed EINSTEIN – a federal Civilian Executive Branch (FCEB) level Intrusion Detection System (IDS) operated and monitored by CISA, to analyze the state of networks.
Fake help desk emails
What they found was related to a “large-scale, financially motivated phishing campaign” that Silent Push referred to earlier.
The scammers start by sending bogus emails from phishing help desks to the email addresses of people working in different government organizations.
“The author organizations estimate that since at least June 2022, cybercriminal actors have sent phishing emails under the heading Helpdesk to the personal and state email addresses of FCEB federal employees,” the alert reads. “The emails either contain a link to a ‘phase one’ malicious domain or urge recipients to contact cybercriminals, who then attempt to convince recipients to visit the malicious ‘phase one’ domain.”
The goal of the campaign is to get victims to download RMM, in an attempt to recover money mistakenly paid for the software (the victims never paid for anything, but this is part of the scam scheme). Once the software is downloaded and running, scammers will try to get them to log into their bank accounts. If that happens, they find a way to steal the money.
“Although this specific activity appears to be financially motivated and targeted at individuals, access could lead to additional malicious activity against the recipient organization – from other cybercriminals and APT actors,” the organizations stated.
“Malicious cyber actors can leverage these same technologies to target National Security Systems (NSS), Department of Defense (DoD), Defense Industrial Base (DIB) networks and use legitimate RMMs on both work and home devices and accounts.”
Via: BleepingComputer (Opens in a new tab)