A sophisticated credential harvesting campaign, identified as MCTO3030, has been actively targeting ScreenConnect cloud administrators since 2022. This operation employs spear-phishing tactics to steal super administrator credentials, posing significant risks to organizations utilizing ScreenConnect for remote access and management.
Campaign Overview
MCTO3030 operates with a low-volume distribution strategy, dispatching up to 1,000 emails per campaign run. This approach allows the campaign to remain largely undetected while maintaining consistent tactics over time. The primary targets are senior IT professionals, including directors, managers, and security personnel who hold elevated privileges within ScreenConnect environments.
Phishing Tactics
Attackers leverage Amazon Simple Email Service (SES) accounts to send convincing phishing emails. These emails alert recipients to alleged suspicious login activities from unusual IP addresses or geographic locations, creating a sense of urgency that prompts immediate action. The emails contain a Review Security button, which, when clicked, redirects victims to sophisticated fake login pages that closely mimic authentic ScreenConnect interfaces.
Technical Sophistication
The campaign employs advanced adversary-in-the-middle (AitM) techniques using the EvilGinx framework. This open-source tool is designed to intercept both credentials and multi-factor authentication (MFA) codes in real-time. By positioning itself between the victim and the legitimate authentication service, EvilGinx captures login credentials while simultaneously forwarding authentication requests to the real ScreenConnect portal. This method allows attackers to harvest time-sensitive MFA tokens, enabling persistent access to compromised accounts even when MFA is enabled.
Infrastructure and Impersonation
To enhance the credibility of their phishing attempts, attackers use country code top-level domains with ScreenConnect-themed naming conventions. Examples include domains like connectwise.com.ar, connectwise.com.be, and connectwise.com.cm, which convincingly impersonate legitimate ConnectWise portals. The consistent use of Amazon SES infrastructure ensures high deliverability rates and helps bypass traditional email security controls by leveraging trusted cloud services.
Connection to Ransomware Operations
Mimecast analysts have identified this persistent threat as particularly concerning due to its apparent connection to ransomware operations. Research indicates similar targeting patterns by Qilin ransomware affiliates. The harvested super admin credentials serve as initial access vectors for subsequent ransomware deployment, enabling attackers to push malicious ScreenConnect clients to multiple endpoints simultaneously.
Mitigation Strategies
Organizations utilizing ScreenConnect should implement the following measures to mitigate the risks associated with this campaign:
1. User Education and Awareness: Educate employees, especially those with elevated privileges, about the dangers of phishing attacks and the importance of verifying the authenticity of security alerts.
2. Email Filtering and Monitoring: Implement advanced email filtering solutions to detect and block phishing emails. Regularly monitor email traffic for signs of phishing attempts.
3. Multi-Factor Authentication (MFA): While MFA is a critical security measure, be aware of its potential bypass through AitM attacks. Consider implementing additional layers of security, such as hardware tokens or biometric verification.
4. Regular Software Updates: Ensure that all software, including remote access tools like ScreenConnect, is regularly updated to patch known vulnerabilities.
5. Network Segmentation: Segment networks to limit the spread of potential attacks and restrict access to critical systems.
6. Incident Response Planning: Develop and regularly update incident response plans to quickly address and mitigate the impact of security breaches.
Conclusion
The MCTO3030 campaign underscores the evolving sophistication of cyber threats targeting remote access tools. By employing advanced phishing techniques and leveraging trusted infrastructure, attackers can effectively bypass traditional security measures. Organizations must remain vigilant, continuously educate their staff, and implement comprehensive security strategies to protect against such threats.
