Unveiled Phishing Attack Leverages ConnectWise ScreenConnect for Device Takeover

In a recent development, cybersecurity researchers at Abnormal AI have uncovered a sophisticated phishing campaign that exploits the ScreenConnect Remote Monitoring and Management (RMM) tool for malicious purposes.

The attackers, using social engineering and business impersonation, create a multi-layered deception. This deception allows for a wide range of post-compromise activities, including bypassing security controls, navigating file systems, achieving persistent access, and exfiltrating sensitive data.

The use of ScreenConnect in the campaign demonstrates a more mature criminal ecosystem where dark web vendors operate like legitimate software providers. Some vendors offer domain-admin level ScreenConnect access to networks in Germany, the UK, and China, typically including control over 90-345 hosts.

The phishing campaign tricks victims into downloading the ConnectWise ScreenConnect RMM software. Once downloaded, threat actors can weaponize ScreenConnect's intended functionality to achieve comprehensive system access equivalent to an IT administrator.

Interestingly, the technique used in the phishing campaign allows threat actors to bypass the installation process of ScreenConnect RMM software if it is already installed in the organization for legitimate purposes.

Commonly used lures include fake Zoom meeting invitations and fake MS Teams calls. These phishing emails often appear to originate from trusted internal sources, bypassing security controls that might flag external phishing attempts.

The responsibility for the security of ScreenConnect to minimize abuse risks by cybercriminals lies primarily with the ScreenConnect administrators. They must protect access credentials and maintain secure user rights. Exploitation attempts have targeted ScreenConnect admins via phishing and attempted unauthorized installations, but restricted user permissions have helped prevent software installation by attackers.

The attackers have been observed pivoting to lateral phishing campaigns that leverage the compromised environment to compromise additional targets within the organization. Many of these phishing emails ultimately aim for additional ScreenConnect deployments across the organization.

The campaign represents a significant evolution in phishing tactics, moving away from traditional methods of obtaining personal information and financial details. It serves as a reminder that modern threats increasingly weaponize trusted systems rather than circumvent them, necessitating a fundamental reconsideration of threat detection and response approaches.

Abnormal AI has not had any communication with ConnectWise regarding the research. The campaign has targeted over 900 organizations across various sectors and geographies.

In light of these findings, Abnormal AI urges organizations to establish comprehensive monitoring of these tools on the network, focusing on unauthorized installations and suspicious usage patterns. They also advise organizations to update training programs to make staff aware of the abuse of legitimate software, including during phishing attacks.

Cybercriminals can acquire ScreenConnect in numerous forms across forums, encrypted messaging apps, and anonymous web pages. The researchers recommend that organizations take proactive measures to secure their ScreenConnect environments and protect against such threats.

Unveiled Phishing Attack Leverages ConnectWise ScreenConnect for Device Takeover