Email security, Threat Intelligence

Cyberattacks exploiting bogus social security emails, ScreenConnect uncovered

A close-up of a laptop displaying an illuminated email icon with red hazard symbols, signifying security issues.

Organizations in the U.S., Canada, the UK, and Northern Ireland have had their PCs compromised in intrusions involving fake U.S. Social Security Administration emails and ConnectWise ScreenConnect exploits, HackRead reports.

Attackers have distributed malicious emails with the fake ssa[.]com domain containing a .cmd script attachment, which leverages PowerShell auto-elevation before altering the targeted device's registry to end Windows SmartScreen and remove Mark-of-the-Web tagging, according to Forcepoint X-labs researchers. After tapping Alternate Data Streams for additional stealth, threat actors proceed to covertly install ScreenConnect as a permanent backdoor to the targeted network, where it scours government-, healthcare-, and logistics-related data.

The ScreenConnect version injected by attackers had a revoked security certificate and was hardcoded to use port 8041 to connect with the dof-connecttop server address, which belongs to the network infrastructure of the Aria Shatel Company in Iran. With threat actors increasingly exploiting trusted tools in attacks, organizations have been advised to be wary of unexpected government emails and attachments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds