Various security organisations have jointly released an advisory against a security threat. Organisations like The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) jointly notified about it in the Alert (AA23-025A).
Organisation has warned about a cyber fraud that was initially reported in October 2022. This fraud promulgates in the disguise of a Remote Monitoring and Management (RMM) software.
A RMM software is often used in IT companies to monitor and regulate work efficiency. In such softwares an Administrator is given the access to remotely monitor any other device. However, this functionality was meant for corporate functions and to help the employees better utilise their time during work.
This functionality is being taken a misadvantage of by the threat actors. Scammers sent phishing emails related to a legitimate RMM company named ScreenConnect (this has been renamed now to ConnectWise).
Scamasters are using portable executables that don’t necessitate software installation and administrative privileges. Hence, making the threat more deceptive.
Scams like these are not always for Financial purposes only. These can also be used as digital warfare against an adversarial country. The data stolen from such scams can also be sold to bigger and professional cybercriminal entities.
Domain Names used
We, through our platform at Domain Magazine, have been constantly highlighting the importance of Domain Name Awareness. Being aware of Domain Names, doesn’t only upgrade your investments but your security as well.
Many cases of cyber fraud could be avoided right in their inception if while browsing, the domain name of the concerned platform is carefully observed. As in the present case, the fraudsters used seemingly legitimate domain names. However, these domain names only looked legitimate. In reality, these were fishing hooks for the fraud.
The reported domain names used in the scam are win03.xyz, MyHelpCare.online, win01.xyz, MyHelpCare.cc and 247secure.us. All of these domain names were used in different stages of the scam. The domain name 247secure.us was used in the second stage of the scam.
As we pointed out earlier, the campaign begins with a Phishing scam. Users are prompted that they are viewing a legitimate site with domain names like these. In this case it was ScreeConnect.
However, you can clearly see that these domain names do not have any terms containing the claimed brand. In some cases fraudsters even use the claimed brand in fraudulent domain names. It is advisable in such situations and before entering any sensitive details, that the real domain name of the claimed party is used.
Actions to be taken
The advisory also mentions several actions that can be taken to prevent such scams. Preventive steps can be broadly divided into two categories. One deals with protection against Phishing emails while the second aims at prohibiting any abuse of RMM.
Some of the steps that could be taken are:
- The first step is protection from Phishing. This is best explained by a CISA infographic that can be accessed here.
- Examine the current remote access tools installed in the network.
- Check if the RMM used in the network is behaving abnormally. This can be a potential case of portable executables.
- Check if there are RMM in your network which are only loaded in the memory.
- Using application controls to control the softwares in the network including RMM.
- Organise a training session about the Phishing making them aware about the phishing and spear phishing campaigns
You can read about the threat and mitigation measure in detail at the original advisory. Please visit the advisory for more information about the issue. You can access it here.