Threat Watch

U.S. Federal Agencies Fall Victim to Cyber Attack Utilizing Legitimate RMM Software

At least two federal agencies in the U.S. fell victim to a “widespread cyber campaign” that involved the use of legitimate remote monitoring and management (RMM) software to perpetuate a phishing scam. “Specifically, cyber-criminal actors sent phishing emails that led to the download of legitimate RMM software – ScreenConnect (now ConnectWise Control) and AnyDesk – which the actors used in a refund scam to steal money from victim bank accounts,” U.S. cybersecurity authorities said. A joint advisory has been issued from the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC). Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional types of malicious activity. For example, the actors could sell victim account access to other cyber-criminal or advanced persistent threat (APT) actors. This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious cyber actors—from cybercriminals to nation-state sponsored APTs—are known to use legitimate RMM software as a backdoor for persistence and/or command and control (C2). Using portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation—effectively bypassing common software controls and risk management assumptions.


The authoring organizations encourage network defenders to:
• Implement best practices to block phishing emails.
• Audit remote access tools on your network to identify currently used and/or authorized RMM software.
• Review logs for execution of RMM software to detect abnormal use of programs running as a portable executable.
• Use security software to detect instances of RMM software only being loaded in memory.
• Implement application controls to manage and control execution of software, including allow listing RMM programs.
• Require authorized RMM solutions only be used from within your network over approved remote access solutions, such as virtual private networks (VPNs)
• Block both inbound and outbound connections on common RMM ports and protocols at the network perimeter.
• Implement a user training program and phishing exercises to raise awareness among users. Reinforce the appropriate user response to phishing and spear phishing emails.