Everyone knows email phishing scams are common. A CISA advisory provides details of a new email phishing scam that uses remote management software to steal money.
According to a recent Cybersecurity and Infrastructure Security Agency (CISA) joint advisory, the attacks were directed at federal civilian employees. But it is noteworthy because similar strategies can be used to target anyone, including healthcare providers.
On January 25, 2023, the Cybersecurity and Infrastructure Security Agency released a National Cyber Awareness System Alert, “Protecting Against Malicious Use of Remote Monitoring and Management Software” jointly with the National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC).
Why the Alert?
- The attackers recently used phishing emails to gain access to a victim’s computer using legitimate remote monitoring and management (RMM) software in financial schemes.
- The same tactics can be used for other purposes such as cybersecurity attacks or network backdoor access to conduct cyber espionage.
- Attackers use legitimate remote management software that cannot be detected by normal security measures that prevent unauthorized software installation.
What is portable executable RMM software?
- RMM software is commonly used by IT departments and managed service providers to provide remote technical support and troubleshooting.
- Every managed service provider and IT department use RMM software.
Background of Attacks
- In mid-June 2022, a federal civilian employee received a phishing email containing a phone number.
- The employee called the number, which led them to visit the malicious domain, myhelpcare[.]online. CISA found additional similar attacks on multiple federal civilian department networks.
- Attacks also used emails with a malicious link that downloaded the RMM software.
- The CISA alert mentioned that legitimate RMM software vendors AnyDesk and ScreenConnect were identified in these attacks. CISA indicated that any legitimate RMM software can be used in these types of attacks.
The CISA alert provided a copy of an actual phishing email. It includes urgency (response needed within 24 hours), a common theme of phishing emails:
Taking Action
While the targets of these attacks were federal civilian employees, these threat actors or copycat attacks could use the same techniques against any business, including healthcare providers. Employee awareness is a primary tool to stop these attacks. Phishing training and reminders are needed for all employees. A CISA infographic provides the following suggestions:
- Educate employees to recognize common indicators of phishing, such as suspicious sender email addresses, generic greetings, spoofed hyperlinks, spelling or layout errors, and suspicious attachments.
- Teach employees to keep their guard up on all communications platforms, including social media, and flag suspicious correspondence for security review
- Report the email to the appropriate security teams.
- Do not forward the malicious email to others within the organization.
Deeper technical dive. The CISA alert also includes multiple technical mitigation strategies. Discuss these with your IT team or managed service provider to see if any are effective measures to bolster your network security.
As always, update your HIPAA Security Risk Assessment and Mitigation Plan when addressing new risks and mitigation strategies. For example, your assessment could be updated with a note that current phishing training was reviewed as a result of this CISA alert. Document any changes such as frequency, content or effectiveness. Continuous documentation provides evidence to your leadership and board that your HIPAA security program continues to change as new risks pop up. An updated document also will be helpful if the OCR ever knocks on your door.
Need help with your HIPAA Security Risk Analysis? MPA can help. Reply to this email to learn more.
