Threat Advisory: CISA Warns of Malicious Use of Legitimate RMM Tools

Brent Murphy
Aaron Goldstein
January 26, 2023

Cybersecurity & Infrastructure Security Agency (CISA), the National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) recently released a joint advisory warning organizations that threat actors are using legitimate remote monitoring and management (RMM) tools such as Screenconnect and AnyDesk to control victim machines after initial compromise.

These new tactics, techniques, and procedures (TTPs) are alarming for MSPs for a variety of reasons, notably because the use of legitimate RMM software generally does not trigger antivirus or antimalware defenses. To best protect themselves, MSPs need to utilize defenses beyond traditional automated security tools.

In this post, Todyl’s Adversary Threat Intelligence (ATI) team breaks down what the advisory says, what MSPs need to know, and how Todyl is helping protect MSPs and their clients.

What does the advisory say?

According to the advisory, this malicious activity began as early as mid-June 2022 with financially motivated phishing campaigns targeted at Federal Civilian Executive Branch (FCEB) staff. These campaigns sent emails impersonating help desk employees to staff’s personal and government email addresses.

The emails contained a link to a malicious domain or prompted the targets to call the threat actors, who then try and convince the recipients to visit the malicious domain.

The latter technique is known as a callback phishing attack. These attacks don’t include a link to a threat actor’s website, but instead use lures to convince a target to call a criminal-controlled phone number. When the target calls, the attacker attempts to convince them to visit a website and download the RMM software, in this case AnyDesk and ScreenConnect. Callback phishing attacks continue to gain popularity with malicious actors and have grown 625% since Q1 of 2021.

After getting a foothold on their targets' devices, the threat actors used their access to try to trick victims into logging into their bank accounts so that they could initiate refund scams. The advisory warns that although this specific activity appears to target individuals and is financially motivated, the access could lead to additional malicious activity against the recipient's organization—from both other cybercriminals and APT (advanced persistent threat) actors.

What do MSPs need to know?

The advisory highlights threat actors targeting government agencies, but these same TTPs can be used against MSPs and their clients. Malicious cyber actors have leveraged legitimate RMM and remote desktop software as backdoors for persistence and command-and-control capabilities.

Because threat actors can download legitimate RMM software as self-contained, portable executables, they can bypass both administrative privilege requirements and software management control policies. RMM software allows cyber threat actors to avoid using custom malware, meaning these attacks are harder to detect and often easier and faster to execute. Although the cybercriminal actors in this campaign used ScreenConnect and AnyDesk, threat actors can maliciously leverage any legitimate RMM software.

These threat actors exploit trusted relationships in MSP networks, gaining access to a large number of the victim MSP's clients. MSP compromises can introduce significant risk—such as and cyber espionage to the MSP’s clients.

How is Todyl protecting partners?

Todyl's Managed eXtended Detection and Response (MXDR) is threat hunting across partner environments while the ATI teams monitors threat activity and shares intelligence with Detection Engineering. Todyl's SIEM module has rules for the below indicators of compromise (IOCs) used in these attacks, including:

  • win03[.]xyz
  • myhelpcare[.]online
  • win01[.]xyz
  • myhelpcare[.]cc
  • 247secure[.]us

Beyond these rules, Todyl's SIEM includes detections leveraging machine learning to identify anomalous activity and behavior from commonly used remote access tools, including TeamViewer, AnyDesk, LogMeIn, GoToAssist, ScreenConnect, and others.

Todyl continues to see similar activity in threat actor’s TTPs, so MSPs need to be proactive to protect their clients. Our MXDR team leverages global threat insights, intelligence sources, and sophisticated technology to conduct regular threat hunts. Threat hunting is crucial to detect threat actors that managed to bypass automated security tools and gain persistent access to a network.

Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Threat breakdown: Remote access and credential dumping
5 key elements of effective MDR providers: Beyond just detection and response
Streamlining zero trust security with JumpCloud and Todyl

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.