Identity, Phishing, Email security, Ransomware, IAM Technologies, Exposure management

ScreenConnect super admins targeted in spearphishing campaign

ConnectWise ScreenConnect super administrators were targeted in a yearslong spearphishing campaign aimed at harvesting credentials to facilitate sophisticated cyberattacks.

Senior information technology (IT) professionals are targeted with emails claiming a suspicious login attempt was made on the target organization’s ScreenConnect instance, according to an analysis by Mimecast published Monday.   

The emails direct the victim to “Review Security,” leading them to phishing websites with domains imitating the legitimate ConnectWise domain. These domain names use country code top-level domains (CCTLDs) to create convincing lookalike URLs such as “connectwise[.]com[.]ar.”

The open-source EvilGinx adversary-in-the-middle (AiTM) framework is used to collect any credentials submitted by the victim into the phishing page interface, which is designed to look like a legitimate ScreenConnect login page. This framework is capable of harvesting both passwords and multi-factor authentication (MFA) tokens.

If the victim submits their credentials, the attacker can then compromise their account and leverage ScreenConnect super admin privileges to conduct advanced attacks on additional endpoints at the organization.

Attackers can use the ScreenConnect remote desktop software to deploy malware and achieve lateral movement; previous research by Sophos has also tied similar ScreenConnect spearphishing to ransomware deployment by the Qilin ransomware gang.

Mimecast noted that the spearphishing operation appears to have been active since at least 2022 and has managed to keep a low profile through low-volume, highly targeted attacks of about 1,000 emails per campaign run.

The attackers use the Amazon Simple Email Service (SES), likely through compromised accounts, to deliver their emails, increasing the scale of their attacks while avoiding suspicion.

Mimecast recommends organizations respond to such spearphishing attacks by conducting targeted security awareness training for IT staff and specifically use ScreenConnect login scenarios in phishing simulations.

Organizations are also recommended to use phishing-resistant MFA methods, such as FIDO2 passkeys, for ScreenConnect accounts to prevent compromise via phishing frameworks like EvilGinx.

Comprehensive logging of ScreenConnect authentication events, monitoring for suspicious admin actions and searching of email logs for indicators of compromise (IoCs) from the campaign can also aid in detecting such attacks, said Mimecast.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Black HatBusiness Email Compromise (BEC)Data MiningDeauthentication AttackDeepfakeDenial of ServiceDictionary AttackDigest AuthenticationDigital CertificateSpam

You can skip this ad in 5 seconds