Phishing Attack Uses Stolen Credentials to Deploy LogMeIn RMM
A new phishing attack uses stolen credentials to deploy LogMeIn RMM for persistent access to compromised hosts.
TL;DR
- A new phishing attack uses stolen credentials to deploy LogMeIn RMM for persistent access to compromised hosts.
- The attack unfolds in two distinct waves, where the threat actors leverage fake invitation notifications to steal victim credentials.
- The attack can lead to unauthorized access to compromised hosts.
- Organizations are advised to monitor for unauthorized RMM installations and usage patterns.
The phishing attack uses a combination of social engineering and exploitation of trusted IT tools to gain persistent access to compromised hosts. The attack is significant because it highlights the importance of monitoring for unauthorized RMM installations and usage patterns.
What happened
The attack begins with a phishing email that is disguised as an invitation from a legitimate platform called Greenvelope. The email aims to trick recipients into clicking on a phishing URL that is designed to harvest their Microsoft Outlook, Yahoo!, AOL.com login information. Once the threat actors obtain this information, they use it to register with LogMeIn and generate RMM access tokens.
The RMM access tokens are then deployed in a follow-on attack through an executable named 'GreenVelopeCard.exe' to establish persistent remote access to victim systems. The binary is signed with a valid certificate and contains a JSON configuration that acts as a conduit to silently install LogMeIn Resolve (formerly GoTo Resolve) and connect to an attacker-controlled URL without the victim's knowledge.
Why it matters
The attack is significant because it highlights the importance of monitoring for unauthorized RMM installations and usage patterns. The use of legitimate IT tools, such as LogMeIn RMM, can make it difficult for organizations to detect and respond to the attack. The attack also underscores the need for organizations to implement robust security measures, such as multi-factor authentication and regular security audits, to prevent similar attacks in the future.
Who is most at risk
Organizations that use LogMeIn RMM and have not implemented robust security measures are most at risk from this attack. The attack can lead to unauthorized access to compromised hosts, which can result in data breaches and other security incidents.
Impact
The impact of the attack can be significant, as it can lead to unauthorized access to compromised hosts and result in data breaches and other security incidents. Organizations that are affected by the attack should take immediate action to contain and remediate the incident.
Quick checks
Organizations can take several steps to protect themselves from this attack, including monitoring for unauthorized RMM installations and usage patterns, implementing multi-factor authentication, and conducting regular security audits.
Fix / mitigation
To fix the issue, organizations should take the following steps:
- Monitor for unauthorized RMM installations and usage patterns.
- Implement multi-factor authentication for all users.
- Conduct regular security audits to identify and remediate vulnerabilities.
- Use a reputable security solution to detect and block phishing emails.
- Educate users about the risks of phishing emails and the importance of being cautious when clicking on links or providing sensitive information.
Detection & hardening
To detect and prevent similar attacks in the future, organizations should implement robust security measures, such as:
- Monitoring for unauthorized RMM installations and usage patterns
- Implementing multi-factor authentication for all users
- Conducting regular security audits to identify and remediate vulnerabilities
- Using a reputable security solution to detect and block phishing emails
- Educating users about the risks of phishing emails and the importance of being cautious when clicking on links or providing sensitive information
Key numbers
- Number of affected organizations: Not disclosed
- Type of attack: Phishing
- Number of victims: Not disclosed
What we still don’t know
The full extent of the attack and the number of organizations affected are not yet known.
FAQ
Q: What is the nature of the attack? A: The attack is a phishing attack that uses stolen credentials to deploy LogMeIn RMM for persistent access to compromised hosts. Q: How can organizations protect themselves from this attack? A: Organizations can protect themselves by monitoring for unauthorized RMM installations and usage patterns, implementing multi-factor authentication, and conducting regular security audits. Q: What is the impact of the attack? A: The impact of the attack can be significant, as it can lead to unauthorized access to compromised hosts and result in data breaches and other security incidents.
Bottom line
The phishing attack that uses stolen credentials to deploy LogMeIn RMM is a significant threat to organizations. To protect themselves, organizations should monitor for unauthorized RMM installations and usage patterns, implement multi-factor authentication, and conduct regular security audits.
Frequently Asked Questions
The attack is a phishing attack that uses stolen credentials to deploy LogMeIn RMM for persistent access to compromised hosts.
Organizations can protect themselves by monitoring for unauthorized RMM installations and usage patterns, implementing multi-factor authentication, and conducting regular security audits.
The impact of the attack can be significant, as it can lead to unauthorized access to compromised hosts and result in data breaches and other security incidents.
Comments
Want to join the discussion?
Create an account to unlock exclusive member content, save your favorite articles, and join our community of IT professionals.
New here? Create a free account to get started.