Bank accounts of US government employees can fall into the hands of government hackers.
2 unnamed US federal agencies were targeted by a fraudulent campaign using Remote Monitoring and Management (RMM) software.
The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Interstate Information Sharing and Analysis Center (MS-ISAC) discovered the campaign back in October. One federal bureau was hacked in June and another was attacked in September.
The cybercriminal sent phishing emails that resulted in the download of legitimate ScreenConnect (ConnectWise Control) and AnyDesk remote access programs, which the attacker used to steal money from victims' bank accounts.
The hacker first connected to the recipient's system and convinced them to log into their online bank. The hacker then changed the balance of the account via remote access, as if the recipient had been transferred an excess amount of money by mistake. The scammer then asked the victim to return this amount to him.
In June, during a similar campaign, a phishing email with a phone number was sent to the email address of a civil servant. The employee called the specified number and was sent to a malicious site.
From there, the hacker downloaded portable versions of AnyDesk and ScreenConnect, which were then configured to connect to the attacker's server. CISA noted that cybercriminals use portable versions because they can run on a device without installation and administrator rights.
After connecting to the victim's system, the scammer convinces the user to enter the online bank. He then changes the balance of the account to give the impression that too much money has been returned to the victim and asks for the funds to be returned to the scammer.
Both incidents involved phishing emails on behalf of the helpdesk sent to employees' personal and work addresses. According to the CISA and the NSA, this campaign aims to steal money, but the attacker could also sell access to the victim's account to government hackers. RMM programs allow attackers to establish local user access without administrator privileges and bypass monitoring tools.