ScreenConnect admins targeted by spear phishing attacks
A phishing campaign is currently underway to steal access data to ScreenConnect. The attackers want to plant ransomware.
(Image: Titima Ongkantong/Shutterstock.com)
A spear phishing campaign is targeting admins of the cloud-based remote maintenance software ScreenConnect. IT security researchers have discovered this. The attackers are looking to gain initial access to networks in order to plant ransomware.
In an analysis of the spear phishing campaign, Mimecast explains that the campaign has been active in several runs since 2022. The attackers have always sent comparatively few emails in the individual runs, up to 1000, which means they remain largely undetected. The criminal masterminds use Amazon Simple Email Service (SES) accounts to send emails and target senior IT staff, such as directors, managers or IT security staff with elevated access rights in ScreenConnect environments. The attackers are particularly targeting super admin access, which allows extensive control over the remote access structure of entire organizations.
(Image:Â Mimecast)
The attackers use logos and visuals from ScreenConnect and the manufacturer Connectwise. In the phishing emails, for example, they mention an alarm about access from new IP addresses. The "Review Security" button in the email then leads to the phishing pages – which are also based on the original look. The URLs also appear correct at first glance. Among other things, they use top-level domains that Connectwise could actually use, such as connectwise[.]com.ar or connectwise[.]com.be.
Videos by heise
Advanced attacks
For the phishing pages, the malicious actors rely on the EvilGinx open source framework. It sits in a man-in-the-middle position and is used to intercept access data and codes for multi-factor authentication. This allows attackers to gain persistent access to compromised accounts. They use this for lateral movement in the victim's networks to install additional access tools or malware on managed endpoints.
Indicators of Compromise (IOCs) are named by Mimecast in the analysis in the form of previously observed misused attack domains and infrastructure services. Some tips should help to improve access security. For example, companies should only allow ScreenConnect admin access from managed devices within the organization. Switching to FIDO2/WebAuthn for ScreenConnect access also protects against phishing. The analysis provides further possible optimizations.
The remote maintenance software Connectwise ScreenConnect is high on the list of attackers. Around the beginning of June, the US IT security authority CISA warned of ongoing attacks. On the same day, however, attackers not only exploited security vulnerabilities in the software, but Connectwise also announced that state-sponsored attackers had penetrated the provider's networks.
(dmk)
