Phishing

Remote-help hacks call for remote controls (especially from MSPs)

With the use of legitimate tools, hackers’ use of RMM can help them blend in.
article cover

Francis Scialabba

· 3 min read

Careful: The “Geek Squad” may just be a bunch of bullies.

A January advisory from CISA noted that federal employees have been targeted with bogus emails from the help desk. Along with the crafty phishing email, this new take on tech support scams entices users to download a legitimate and favorite IT support tool: remote monitoring and management (RMM).

With attackers intent on finding ways to remote-in, companies that use RMM software, like many managed service providers (MSPs), are high-value targets, and IT pros must be especially cautious about ways to restrict and monitor the products’ use.

“The guys who are answering the email are the same people that are logging in and supporting customers, so if I get your credentials…now I can pivot into the entire customer base,” said Brian Haugli, CEO at the cybersecurity services company SideChannel.

CISA says. In October 2022, CISA identified a “widespread cyber campaign involving the malicious use of legitimate RMM software,” which began with a phishing email that said: Your subscription with GEEK SQUAD will Renew Today and $399.99 is about to be Debited from your account by Today.

Since at least June 2022, cyber-criminal actors have sent help-desk-themed phishing emails to federal staff’s personal and government email addresses, according to the advisory. In a successful execution of the attack, a target end-user would call a number in the email, where the threat actor would convince the victim to download RMM software.

Remote control. When an attacker gains remote access, options abound. Helpful for the help desk, the RMM platform is just as friendly for hackers, allowing reconnaissance across the managed devices.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

With access to the system, an attacker can download keyloggers or malware. One tactic revealed in the advisory even involved changing a browser’s bank account page to convince a target to send back “refunds” for the false, doctored overpayment.

“This all occurs within the actual phone call,” said Crane Hassold, director of threat intelligence at the email-security company Abnormal Security.A remote management tool like AnyDesk and ConnectWise (formerly ScreenConnect) is a particularly enticing gift if they can get one used by MSPs, who get paid to solve problems for their remote clients.

The advisory noted that targets can include MSPs and IT help desks, who regularly use legitimate RMM software for technical and security end-user support.

RMM for improvement. There are ways to watch and restrict rogue RMM usage. Endpoint detection and response (EDR) tools can enforce the use of company-sanctioned RMM devices. RMM tools can be integrated into a team’s security incident and event management (SIEM) to detect anomalies like suspicious logins from suspicious locations. Multi-factor authentication can add layers of protection against any Geek-y imposters.

Such practices are important for companies to have and outsourced security providers to demonstrate, said Haugli.

“Managed service providers and IT providers should be going out of their way to prove that they can be trusted, and should be the ones providing these services,” Haugli told IT Brew.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.