US Government Agencies Warn of Malicious Use of Remote Management Software


The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are warning organizations of malicious attacks using legitimate remote monitoring and management (RMM) software.

IT service providers use RMM applications to remotely manage their clients’ networks and endpoints, but threat actors are abusing these tools to gain unauthorized access to victim environments and perform nefarious activities.

In malicious campaigns observed in 2022, threat actors sent phishing emails to deploy legitimate RMM software such as ConnectWise Control (previously ScreenConnect) and AnyDesk on victims’ systems, and abuse these for financial gain.

The observed attacks focused on stealing money from bank accounts, but CISA, NSA, and MS-ISAC warn that the attackers could abuse RMM tools as backdoors to victim networks and could sell the obtained persistent access to other cybercriminals or to advanced persistent threat (APT) actors.

Last year, multiple federal civilian executive branch (FCEB) employees were targeted with help desk-themed phishing emails, both via personal and government email addresses.

Links included in these messages directed the victims to a first-stage malicious domain, which automatically triggered the download of an executable designed to connect to a second-stage domain and download RMM software from it, as portable executables that would connect to attacker-controlled servers.

“Using portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation—effectively bypassing common software controls and risk management assumptions,” the US government agencies warn.

In some cases, the email’s recipient was prompted to call the attackers, who then attempted to convince them to visit the malicious domain.

In October 2022, Silent Push uncovered similar malicious typosquatting activity, in which the adversaries impersonated brands such as Amazon, Geek Squad, McAfee, Microsoft, Norton, and PayPal to distribute the remote monitoring tool WinDesk.Client.exe.

In the attacks targeting federal agencies, the threat actors used the RMM tools to connect to the recipient’s system, then entice them to log into their bank account.

The attackers used the unauthorized access to modify the victim’s bank account summary to show that a large amount of money had been mistakenly refunded, instructing the individual to send the amount back to the scam operator.

“Although this specific activity appears to be financially motivated and targets individuals, the access could lead to additional malicious activity against the recipient’s organization—from both other cybercriminals and APT actors,” CISA, NSA, and MS-ISAC note.

The agencies underline that any legitimate RMM software could be abused for nefarious purposes, that the use of portable executables allows attackers to bypass existing policies and protections, that antivirus defenses would not be typically triggered by legitimate software, and that RMM tools provide attackers with persistent backdoor access to an environment, without the use of custom malware.

CISA, NSA, and MS-ISAC also warn that the legitimate users of RMM software, such as managed service providers (MSPs) and IT help desks, are often targeted by cybercriminals looking to gain access to a large number of the victim MSP’s customers, which could lead to cyberespionage or to the deployment of ransomware and other types of malware.

To stay protected, organizations are advised to implement phishing protections, audit remote access tools, review logs to identify the abnormal use of RMM software, use security software to detect the in-memory execution of RMM software, implementing proper application control policies, restrict the use of RMM software from within the local network, and train employees on phishing.

Related: CISA Updates Infrastructure Resilience Planning Framework

Related: NSA, CISA Explain How Threat Actors Plan and Execute Attacks on ICS/OT

Related: NSA Publishes Best Practices for Improving Network Defenses

The post US Government Agencies Warn of Malicious Use of Remote Management Software appeared first on SecurityWeek.

UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies


The United Kingdom’s National Cyber Security Centre (NCSC) has published an advisory to warn organizations and individuals about separate spearphishing campaigns conducted by Russian and Iranian cyberespionage groups.

The advisory focuses on activities conducted by the Russia-linked Seaborgium group (aka Callisto, Blue Callisto and Coldriver) and the Iran-linked TA453 (aka Charming Kitten, APT35, Magic Hound, NewsBeef, Newscaster and Phosphorus). 

Russian and Iranian phishing

The NCSC noted that the two groups covered by the advisory have similar tactics, techniques and procedures (TTPs) and they target the same types of entities, but there is no evidence that their campaigns are connected or that the two APTs are collaborating. 

The goal of these attacks has been to collect information from government organizations, academia, defense firms, NGOs, think tanks, politicians, activists and journalists.

The general public has not been targeted, but it’s worth pointing out that the Iranian group has also been observed launching what appeared to be financially motivated ransomware attacks.

Seaborgium and TA453’s attacks start with a reconnaissance phase that involves using open source intelligence to research their targets. This phase can involve creating fake social media accounts, email accounts impersonating well-known individuals in the target’s field of interest, fake websites, and event invitations. The goal is to gain the victim’s trust.

The hackers don’t immediately deliver malicious content to the victim and instead take their time to build trust, which increases their chances of success. After trust is established, they deliver a malicious link that leads the victim to a phishing page.

These phishing pages are designed to harvest credentials that the Russian and Iranian hackers can then use to access the victim’s email accounts, which can store valuable information. 

The attackers have also been observed setting up forwarding rules in compromised email accounts in an effort to monitor the victim’s correspondence. In addition, they have used contact lists for further phishing attacks.

“Although spear-phishing is an established technique used by many actors, Seaborgium and TA453 continue to use it successfully and evolve the technique to maintain their success,” the NCSC said in its advisory. 

In August 2022, Microsoft said it had caused significant disruption to Seaborgium’s operations, cutting off the hackers’ access to accounts used for reconnaissance and phishing. 

Related: Iranian Hackers Impersonate British Scholars in Recent Campaign

Related: Russian Espionage APT Callisto Focuses on Ukraine War Support Organizations

The post UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies appeared first on SecurityWeek.

CISA Provides Resources for Securing K-12 Education System


The US Cybersecurity and Infrastructure Security Agency (CISA) this week published a report detailing the cybersecurity risks the K-12 education system faces, along with recommendations on how to secure it.

Over the past four years, there have been thousands of cyber incidents involving K-12 institutions, where threat actors targeted school computer systems to deploy ransomware, disrupt access, render systems unusable, and steal sensitive information on students and employees, including financial and medical information, and employee Social Security numbers.

The K-12 Cybersecurity Act of 2021 instructed CISA to review the cyber risks to elementary and secondary school, evaluate challenges schools and school districts face in securing information systems, to provide recommendations on improving the protection of these systems, and to develop an online training toolkit for school officials.

Discussions with stakeholder groups relevant to the K-12 education community revealed that the majority of them do not have the time or resources to secure information systems and sensitive student and employee records, or to implement cybersecurity protocols.

“Most reported that the breadth of available cybersecurity information—news coverage, conference panels, webinars, and more—only made matters more complicated. Nearly all reported that they needed simplicity, prioritization, and resources targeted to the unique needs and context of K-12 organizations,” CISA’s report reads (PDF).

According to CISA, “with finite resources, K-12 institutions can take a small number of steps to significantly reduce cybersecurity risk,” such as deploying multi-factor authentication (MFA), patching known vulnerabilities, creating backups, and implementing cyber incident response plans and cybersecurity training programs.

The agency’s incursion into the cybersecurity stance of the K-12 education system has revealed that many school districts struggle with insufficient IT resources and cybersecurity capacity, which can be addressed by using free or low-cost services, by asking technology providers for strong security controls at no additional cost, by migrating IT services to more secure cloud versions, and by taking advantage of the State and Local Cybersecurity Grant Program (SLCGP).

CISA also notes that K-12 entities cannot singlehandedly identify and prioritize emerging threats, risks, and vulnerabilities, recommending that they join relevant collaboration groups, work with other information-sharing organizations, and collaborate with CISA and FBI regional cybersecurity personnel.

The agency recommends that all K-12 institutions start by investing in the most impactful security measures, which will allow them to eventually migrate to a mature cybersecurity plan. They should also prioritize investments in line with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).

CISA’s Digital Toolkit contains resources and materials in line with these recommendations, as well as guidance on how stakeholders can implement each recommendation. The toolkit also includes additional resources to help stakeholders build, operate, and maintain a resilient cybersecurity program at their institution.

Related: CISA Updates Infrastructure Resilience Planning Framework

Related: CISA Releases Decision Tree Model to Help Companies Prioritize Vulnerability Patching

Related: CISA Urges Organizations to Implement Phishing-Resistant MFA

The post CISA Provides Resources for Securing K-12 Education System appeared first on SecurityWeek.

Majority of GAO’s Cybersecurity Recommendations Not Implemented by Federal Agencies


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December 2022, the US Government Accountability Office (GAO) says in a new report.

Since 1997, the GAO has been regarding information security as a government-wide high-risk area and expanded it twice since: in 2003 to include critical cyber infrastructure and in 2015 to include the protection of personally identifiable information.

During this time, GAO performed assessments of the risks associated with the information technology systems of federal agencies and critical infrastructure (such as communications, energy, financial services, and transportation organizations) and recommended actions to improve their cybersecurity risks.

“Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them,” GAO notes.

GAO has now published the first in a series of four reports that bring into focus cybersecurity areas that need to be urgently addressed, starting with the need for a comprehensive cybersecurity strategy.

The White House and the National Security Council (NSC) issued a National Cyber Strategy and an Implementation Plan in 2018 and 2019, respectively, but GAO reported in 2020 that these do not address all desirable characteristics of national strategies (only three out of six characteristics were included).

While an Office of the National Cyber Director position was established and filled in 2021, a comprehensive national strategy has yet to be fully developed and implemented.

“We recommended that the National Security Council work with relevant federal entities to update cybersecurity strategy documents to include goals, performance measures, and resource information, among other things,” GAO notes.

Another area that the GAO has been looking into is federal agencies’ supply chain risk management practices. In 2020, out of 23 agencies reviewed, none had fully implemented all the seven foundational practices in the area and 14 had implemented none of these practices.

Despite that, agencies heavily rely on information and communications technology (ICT) products and services to conduct operations.

According to GAO, “implementing foundational practices for ICT supply chain risk management is essential to agencies addressing the risks of malicious actors disrupting mission operations, stealing intellectual property, or harming individuals.”

GAO’s new report also underlines the need for the Office of the National Cyber Director to address continuing cybersecurity workforce challenges, for federal agencies to improve the security of internet-connected devices – including Internet of Things (IoT) and operational technology (OT) devices – and for the federal government to address the risks associated with quantum computing and artificial intelligence (AI) technologies.

Related: US Offshore Oil and Gas Infrastructure at Significant Risk of Cyberattacks

Related: Over 12,000 Cyber Incidents at DoD Since 2015, But Incident Management Still Lacking

Related: U.S. Department of State Approves New Cyberspace Security Bureau

The post Majority of GAO’s Cybersecurity Recommendations Not Implemented by Federal Agencies appeared first on SecurityWeek.

Mississippi Creates New Cyber Unit, Names 1st Director


A new unit to handle cybersecurity in Mississippi is in place and has its first director.

The Mississippi Department of Public Safety on Friday said the Mississippi Cyber Unit, a component of the Mississippi Office of Homeland Security, will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.

The department named Bobby Freeman as its first cybersecurity director.

“The ability to provide a trustworthy and stable cyber environment is vital to the success of Mississippi,” the department said in a news release.

The unit will focus on monitoring and identifying threats to Mississippi networks, sharing real-time threat intelligence and providing support to cyber incidents within the state.

“Cyber threats are rapidly increasing across the globe,” Gov. Tate Reeves said. “Mississippi takes these threats seriously and recognizes that there’s never been a more important time to ensure that our state and her people are protected.”

Before joining homeland security, Freeman served full time as the cyber operations officer for the Mississippi Army National Guard. He has more than 20 years of military experience in information technology and security.

“Director Freeman has a bevy of experience and is well-positioned to build the newly created Mississippi Cyber Unit,” said Baxter Kruger, executive director of Homeland Security. “Addressing threats to Mississippi’s critical infrastructure and her citizens is my office’s primary focus, and I am confident that under Bobby’s leadership, Mississippians will be better protected from cyber threats than ever before.”

Related: New York Department of Financial Services Launches Cybersecurity Unit

Related: EU Announces New Joint Cyber Unit to Protect Against Critical Attacks

The post Mississippi Creates New Cyber Unit, Names 1st Director appeared first on SecurityWeek.