Anyone seeing a rise in Weaponized Remote Access Clients installers? We are seeing a lot of the in phishing emails with smaller clients who are break/fix only.
We have a small client that we use Simple-Help remote access agent. He received a phishing email that contained a link to a copy of the preconfigure access agent that overwrote our agent. We watched the intruder try and copy finance records run scripts etc.
We took a video of a blank the screen with a fake update/malware scan. While moving the mouse around.
I copied the link on spun up VM and watched them do the same thing within minutes of getting access.
Is there anyway to lock the Remote Access Agent from being overwritten without a password or only allowed from our verified server?
This sort of phishing attack requires that the user downloads an executable file from an unknown server and grants admin/root privileges for the machine to it, so introducing a password to prevent changes would only mean the attackers would just need to adjust the download to uninstall the existing service and install their own in its place to get around it. We can’t prevent admin/root privileges being able to change anything and everything about the Access service installed on that machine.
We’re looking into revoking the digital signatures of old versions of SimpleHelp (especially those that don’t have the server verification URL step) so that users downloading and running malicious files should be protected by their browser and system security and introduce another layer of protection for users vulnerable to these sorts of phishing attacks. We’re also encouraging security providers to properly assess and block websites running old versions of SimpleHelp, as they’re either malicious, running an insecure server version or both.