CISA, the NSA, and the MS-ISAC have released a joint Cybersecurity Advisory (CSA) of the malicious use of legitimate Remote Monitoring and Management (RMM) software, including ScreenConnect and AnyDesk. In these widespread campaigns, the attack starts as a phishing email, which prompts the user to download legitimate instances of the connection software. From there, attackers connect to the victim’s computer and attempt to utilize a refund scam, compromising the victim’s bank accounts.
Mitigation Steps recommended by Sedara:
- Sedara encourages network defenders to review the Indicators of Compromise (IOCs) shown in the advisory below, and apply those to web filtering software if they are not already blocked.
- Organizations should continue to train users on the risks of phishing emails, how to detect them, and how to respond.
- Audit remote access tools on the network to identify unauthorized RMM software.
- RMM (Remote Monitoring and Management) software installation should be limited via application controls. Users should require approval before installing new software.
- Where RMM software does not have a business use, consider blocking inbound and/or outbound connections on common RMM ports and protocols at the host or network perimeter.
- ScreenConnect’s default TCP ports are 8040 and 8041 (outbound from the client).
- AnyDesk’s default TCP ports include port 6568. However, since AnyDesk can execute through HTTP/HTTPS ports, it may be more effective to use web filtering to block the net.anydesk.com domain.
- Attackers can use any RMM software to execute this attack, so the best prevention is multifaceted and includes educating users on phishing threats.
What is Sedara doing to mitigate this threat for SIEM / SOC customers?
- Sedara’s SOC is providing ongoing monitoring for security events that match this threat across EDR and SIEM solutions.
More reading on this threat:
Alert (AA23-025A): Protecting Against Malicious Use of Remote Monitoring and Management Software
Want Help With a Security Incident?
Sedara can help your organization assess and address vulnerabilities and provide insight that prevents future incidents.
Get Future Compromise Alerts – Join Sedara Declassified
Subscribe to Sedara Declassified to get timely updates on new and evolving threats – and what to do about them – just like our clients do. And of course, if we can help you with anything directly, feel free to reach out.