CISA Alert AA23-025A – Protecting against malicious use of remote monitoring and management software. [CISA Cybersecurity Alerts]

CyberWire Daily

N2K Networks, Inc.

Technology, Daily News, News, Tech News

4.8 • 1.1K Ratings

🗓️ 26 January 2023

⏱️ 3 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

CISA, NSA, and the MS-ISAC are releasing this alert to warn network defenders about malicious use of legitimate remote monitoring and management software. AA23-025A Alert, Technical Details, and Mitigations For a downloadable copy of IOCs, see AA23-025.stix Silent Push uncovers a large trojan operation featuring Amazon, Microsoft, Geek Squad, McAfee, Norton, and Paypal domains No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript

Click on a timestamp to play from that location

0:00.0	You're listening to the CyberWire Network, powered by N2K.
0:07.0	This is a SISA Cybersecurity Alert.
0:14.0	ID number Alpha Alpha 23 TAC 025 Alpha.
0:20.0	Original release
0:23.7	release date, January 25th, 2023.
0:32.2	CISA, NSA, and the MS-ISAC are releasing this alert to warn network defenders about malicious use of
0:33.2	legitimate remote monitoring and management software. In October
0:37.3	2022, CISA identified a widespread cyber campaign involving the malicious use of
0:42.2	legitimate R. M. software. campaign involving the malicious use of legitimate
0:42.8	R. M. software. Specifically, cyber criminal actors sent fishing
0:46.2	emails that led to the download of legitimate R. M. software,
0:49.4	Screen Connect, now named Connectwise Control, and any desk, which the actors used in a refund scam to steal money from victim bank accounts.
0:57.0	Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional types of malicious activity.
1:04.6	For example, the actors could sell victim account access to other cyber criminal or APT actors.
1:10.3	This campaign highlights the threat of malicious cyber activity associated with legitimate
1:13.8	R. M. software, after gaining access to the target network via fishing or other techniques,
1:18.8	malicious cyber actors are known to use legitimate R. M. software as a backdoor for persistence and command and control.
1:26.2	Using portable executables of R. M. software provides a way for actors to establish local
1:30.5	user access without the need for administrative privilege and full software
1:33.8	installation, effectively bypassing common software controls and risk management
1:37.9	assumptions.
1:39.5	The alert documentation linked in the show notes includes indicators of compromise,
	...

Please login to see the full transcript.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from N2K Networks, Inc., and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of N2K Networks, Inc. and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.