Unsolicited Emails Exploit ConnectWise ScreenConnect Software for Unauthorized Device Control
In a significant development in the cybersecurity landscape, a phishing campaign targeting ConnectWise's ScreenConnect remote monitoring and management (RMM) software has been uncovered. This campaign, which began with a series of deceptive emails, represents a significant evolution in phishing tactics.
The multi-stage attack often starts with phishing emails disguised as routine business communications or friendly correspondence. These emails, which feature familiar branding and originate from compromised legitimate accounts, are designed to increase their credibility and avoid detection. The aim of the phishing campaign is to trick victims into downloading the ConnectWise ScreenConnect RMM software.
Once a link is clicked, the target is redirected to a malicious site where the second stage of the attack is initiated. Other phishing lures involve invites to fake MS Teams calls or Zoom meeting invitations, using timely subject lines to make the message seem genuine.
By sending phishing emails directly from the target's account, the attackers can bypass security controls that might flag external phishing attempts. This tactic allows them to gain a foothold in the organization's network.
Once the ScreenConnect RMM software is downloaded, threat actors can use its intended functionality to bypass security controls, navigate file systems, achieve persistent access, and exfiltrate sensitive data. The threat actors have been observed pivoting to lateral phishing campaigns that leverage the compromised environment to compromise additional targets within the organization.
The use of ScreenConnect in the campaign demonstrates a more mature criminal ecosystem where dark web vendors operate like legitimate software providers. This underscores the need for defenders to fundamentally reconsider their approach to threat detection and response in light of the increasing weaponization of trusted systems.
ConnectWise has not responded to Infosecurity's request for comment on the findings at the time of writing. Abnormal AI, another cybersecurity firm, has also not had any communication with ConnectWise regarding the research.
Organizations should establish comprehensive monitoring of RMM tools on the network, focusing on unauthorized installations and suspicious usage patterns. They should also update training programs to make staff aware of the abuse of legitimate software, including during phishing attacks.
While specific German companies affected by the ScreenConnect attack campaigns are not explicitly named, it is indicated that attackers used ScreenConnect in fake support attacks, attempting to gain persistent access to victim devices and VPN profiles, leading to attempted exfiltration of sensitive data and brute-force attacks on Office 365 accounts after the attack session. There is no direct mention of which organizations allegedly provided customer-level access to ScreenConnect.
This phishing campaign serves as a reminder that cyber threats are constantly evolving and that organizations must stay vigilant and adapt their cybersecurity strategies accordingly.
