Código HTML do Conteúdo

Post: New Phishing Campaign Abuses ConnectWise ScreenConnect to Take Over De - Against Invaders - Notícias de CyberSecurity para humanos.

<div> <div> <div> <div data-edit-folder-name="text" data-index="0" data-layout-id="2" id="layout-618c0278-b88c-4f8c-a172-09dcfa285fda"> <p>A novel phishing campaign attempts to trick victims into downloading ConnectWise ScreenConnect remote monitoring and management (RMM) software, enabling attackers to take complete control over end-user devices.</p> <p>A report by Abnormal AI found that the legitimate RMM tool is abused by the threat actors to achieve remote system control and facilitate follow-on attacks, including account takeovers and lateral phishing.</p> <p>The researchers said the ongoing campaign represents a significant evolution in phishing tactics, which traditionally rely on victims giving up personal information such as <a href="https://www.infosecurity-magazine.com/news/precision-validated-phishing/" target="_blank">credentials</a> and financial details.</p> <p>&ldquo;The weaponization of a legitimate IT administration tool &ndash; one designed to grant IT professionals deep system access for troubleshooting and maintenance &ndash; combined with social engineering and convincing business impersonation creates a multi-layered deception that provides attackers with the dual advantage of trust exploitation and security evasion,&rdquo; they wrote.</p> <p>The campaign has so far targeted more than 900 organizations, impacting a broad range of sectors and geographies.</p> <p>The use of ScreenConnect to support the campaign also demonstrates a more mature criminal ecosystem where dark web vendors operate like legitimate software providers, the researchers added.</p> <p>&ldquo;Cybercriminals can acquire ScreenConnect in numerous forms across forums, encrypted messaging apps and anonymous web pages,&rdquo; they noted.</p> <p>As well as focusing on deployment, some of these offerings are focused on resale. For example, vendors have been observed offering domain-admin level ScreenConnect access to networks in Germany, the UK and China, typically including control over 90&ndash;345 hosts.</p> <p><a href="https://www.infosecurity-magazine.com/news/connectwise-confirms-hack/" target="_blank"><em>Read now: ConnectWise Confirms Hack, &ldquo;Very Small Number&rdquo; of Customers Affected</em></a></p> <h2><strong>A Multi-Stage Attack Chain</strong></h2> <p>The <a href="https://intelligence.abnormal.ai/resources/screenconnect-attack-videoconferencing-impersonation-ai" target="_blank">Abnormal AI report</a>, published on August 26, observed that the multi-stage attack begins with a phishing email, which is designed to appear as routine business communications or friendly correspondence.</p> <p>One commonly used lure is fake Zoom meeting invitations, using timely subject lines such as &ldquo;Meeting Invite &ndash; 2024 Tax Organizer SID:80526353241,&rdquo; tying in tax season relevance to make the message feel genuine.</p> <p>The emails feature familiar branding and originate from compromised legitimate accounts to increase their credibility and avoid detection.</p> <p>&ldquo;In this particular instance, the attackers appear to have found a real Zoom notification email and modified only the call-to-action (CTA) to further enhance the illusion of authenticity,&rdquo; the researchers noted.</p> <p>In one case, the attackers hijacked an ongoing thread that already contained a genuine Zoom meeting invitation to insert a malicious link.</p> <p>Other phishing lures involve invites to fake MS Teams calls.</p> <p>Once a link is clicked, the target is redirected to a malicious site where the second stage of the attack is initiated.</p> <p>This site prompts the user to download what appears to be an updated version of the relevant video conferencing platform. Instead, the file is the ScreenConnect RMM software.</p> <p>Recipients whose organization already has ScreenConnect installed for legitimate purposes are immediately connected to a live ScreenConnect session controlled by the attackers. For targets without existing ScreenConnect installations, clicking these links triggers an automatic download prompt for the ScreenConnect client software.</p> <p>&ldquo;This technique exploits the fact that many organizations already have ScreenConnect installed for legitimate remote support purposes, allowing threat actors to bypass the installation process entirely,&rdquo; the researchers said.</p> <h2><strong>Stealthy Post-Compromise Activity</strong></h2> <p>Once downloaded, the threat actors are able to weaponize ScreenConnect&rsquo;s intended functionality to achieve comprehensive system access equivalent to an IT administrator.</p> <p>This allows for a wide range of post-compromise activities, including bypassing security controls, navigating file systems, achieving persistent access and exfiltrating sensitive data.</p> <p>The attackers have also been observed pivoting to lateral phishing campaigns that leverage the compromised environment to compromise additional targets within the organization.</p> <p>&ldquo;They analyze communication patterns, identify high-value targets and craft phishing messages that appear to originate from trusted internal sources,&rdquo; Abnormal AI wrote.</p> <p>Many of these phishing emails ultimately aim for additional ScreenConnect deployments across the organization.</p> <p>By sending phishing emails directly from the target&rsquo;s account, they can bypass security controls that might flag external phishing attempts.</p> <h2><strong>How to Defend Against ScreenConnect Abuse</strong></h2> <p>The Abnormal AI researchers urged organizations to take action to address growing <a href="https://www.infosecurity-magazine.com/news/ransomware-simplehelp-compromise/" target="_blank">abuse of legitimate RMM</a> tools by threat actors.</p> <p>This includes establishing comprehensive monitoring of these tools on the network, focusing on unauthorized installations and suspicious usage patterns.</p> <p>Additionally, they advised organizations to updated training programs to make staff aware of legitimate software abuse, including during phishing attacks.</p> <p>&ldquo;This campaign serves as a critical reminder that modern threats increasingly weaponize trusted systems rather than circumvent them. As a result, defenders must fundamentally reconsider their approach to threat detection and response,&rdquo; the researchers noted.</p> <p>Abnormal AI told <em>Infosecurity</em> it has not had any communication with ConnectWise regarding the research.</p> <p><em>Infosecurity</em> has contacted ConnectWise for comment on the findings but has not received a response at the time of writing.</p> </div> </div> </div></div>