Organizations in the U.S., Canada, the UK, and Northern Ireland have had their PCs compromised in intrusions involving fake U.S. Social Security Administration emails and ConnectWise ScreenConnect exploits, HackRead reports.Attackers have distributed malicious emails with the fake ssa[.]com domain containing a .cmd script attachment, which leverages PowerShell auto-elevation before altering the targeted device's registry to end Windows SmartScreen and remove Mark-of-the-Web tagging, according to Forcepoint X-labs researchers. After tapping Alternate Data Streams for additional stealth, threat actors proceed to covertly install ScreenConnect as a permanent backdoor to the targeted network, where it scours government-, healthcare-, and logistics-related data.The ScreenConnect version injected by attackers had a revoked security certificate and was hardcoded to use port 8041 to connect with the dof-connecttop server address, which belongs to the network infrastructure of the Aria Shatel Company in Iran. With threat actors increasingly exploiting trusted tools in attacks, organizations have been advised to be wary of unexpected government emails and attachments.
Email security, Threat Intelligence
Cyberattacks exploiting bogus social security emails, ScreenConnect uncovered

(Adobe Stock)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



