So I made a mistake this weekend in our environment that caused me to get a call from our SOC at 1am yesterday morning. 😣
Post incoming.
#RMM
📰 Voicemail-Themed Phishing Campaign Deploys Legitimate RMM Tools for Backdoor Access
⚠️ PHISHING ALERT: A new campaign uses fake voicemail lures to trick users into installing legitimate remote access tools (RMM). 🔉 This grants attackers full, persistent control of the system. #Phishing #SocialEngineering #RMM
Comodo has some newer MDM products they cannot, surprise-surprise, adequately protect from abuse.
*.itsm-us1.comodo[.]com (US)*.cmdm.comodo[.]com (EU)*.mdmsupport.comodo[.]com (legacy)
https://russianpanda.com/The-Abuse-of-ITarian-RMM-by-Dolphin-Loader
It's been a busy 24 hours in the cyber world with significant updates on actively exploited vulnerabilities, evolving social engineering tactics, and some notable cyberattacks. Let's dive in:
London Boroughs Still Recovering Months After Cyberattack 🏙️
- Hammersmith & Fulham Council is slowly restoring services, two months after a cyberattack affected multiple London boroughs. Online payments have resumed, but some account balances may not be current.
- Westminster City Council and Kensington & Chelsea also remain impacted, with the latter confirming criminal intent and data compromise, and warning that full system restoration could take months.
- This incident highlights the ongoing threat to local authorities, with the NCSC recently warning about pro-Russia hacktivist attacks causing costly disruption to such targets.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/23/landmark_milestone_as_hammersmith_fulham/
Dresden Museum Network Hit by Cyberattack 🖼️
- Germany's Dresden State Art Collections (SKD), one of Europe's oldest museum networks, has suffered a targeted cyberattack that disrupted significant parts of its digital infrastructure.
- The attack, discovered on Wednesday, has limited digital and phone services, with online ticket sales and the museum shop unavailable, and on-site payments restricted to cash.
- While security systems protecting the collections remain intact, the incident underscores a growing trend of cultural institutions becoming targets for cybercriminals, as seen with recent attacks on national art museums and libraries.
🗞️ The Record | https://therecord.media/dresden-state-art-collections-cyberattack
ATM Jackpotting Ring Busted in US 💰
- Two Venezuelan nationals have been convicted and will be deported for an ATM jackpotting scheme that stole hundreds of thousands of dollars from US banks across several states.
- The attackers connected laptops to older ATM models and installed Ploutus malware to bypass security protocols, forcing machines to dispense all available cash directly from the banks.
- This operation is linked to a larger conspiracy, with Nebraska authorities indicting 54 individuals, including alleged leaders of the Venezuelan Tren de Aragua gang, for similar multi-million dollar thefts.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/us-to-deport-venezuelans-who-emptied-bank-atms-using-malware/
Vishing and AitM Phishing Attacks on the Rise 🎣
- Okta has warned about custom vishing (voice phishing) kits, sold as a service, actively targeting Okta, Google, and Microsoft SSO accounts, as well as cryptocurrency platforms.
- These kits feature adversary-in-the-middle (AitM) capabilities, allowing attackers to manipulate phishing page content in real-time during a call, effectively bypassing push-based MFA, including number matching.
- Microsoft also reported a multi-stage AitM phishing and BEC campaign targeting energy firms, abusing SharePoint for phishing payloads and creating inbox rules for persistence and evasion. Post-compromise, attackers leverage stolen session cookies and internal identities for large-scale intra-organizational and external phishing.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/okta-sso-accounts-targeted-in-vishing-based-data-theft-attacks/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/22/crims_sell_voice_phishing_kits/
🚨 The Hacker News | https://thehackernews.com/2026/01/microsoft-flags-multi-stage-aitm.html
RMM Tools Weaponised for Persistent Access 🛠️
- A new dual-vector campaign is leveraging stolen credentials to deploy legitimate Remote Monitoring and Management (RMM) software, specifically LogMeIn Resolve, for persistent remote access.
- The attack starts with fake Greenvelope invitation emails to harvest Microsoft Outlook, Yahoo!, or AOL.com login details. These stolen credentials are then used to register with LogMeIn and generate RMM access tokens.
- A malicious executable, "GreenVelopeCard.exe," signed with a valid certificate, silently installs LogMeIn Resolve, alters its service settings for unrestricted access, and creates hidden scheduled tasks to maintain persistence.
🚨 The Hacker News | https://thehackernews.com/2026/01/phishing-attack-uses-stolen-credentials.html
Malicious AI Extensions Steal Developer Data 💻
- Two malicious extensions in Microsoft's Visual Studio Code (VSCode) Marketplace, "ChatGPT – 中文版" (1.34M installs) and "ChatMoss (CodeMoss)" (150k installs), are exfiltrating developer data to China-based servers.
- Part of a campaign dubbed 'MaliciousCorgi,' these extensions, while providing advertised AI coding assistance, covertly monitor and transmit the entire contents of opened files, including changes, encoded in Base64.
- They also perform server-controlled harvesting of up to 50 files from a victim's workspace and use commercial analytics SDKs (Zhuge.io, GrowingIO, TalkingData, Baidu Analytics) for user profiling and device fingerprinting, exposing sensitive source code, configuration files, and credentials.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/malicious-ai-extensions-on-vscode-marketplace-steal-developer-data/
Fortinet FortiGate SSO Flaw Still Exploitable ⚠️
- Fortinet has confirmed that a critical FortiCloud SSO authentication bypass vulnerability (CVE-2025-59718), supposedly patched in December, is still being actively exploited via a new attack path.
- Threat actors are compromising fully patched FortiGate firewalls, creating generic accounts with VPN access, and exfiltrating firewall configurations within seconds, indicating automated activity.
- Fortinet advises customers to restrict administrative access to management interfaces, disable the FortiCloud SSO feature, and rotate all credentials if any indicators of compromise are detected, as the issue applies to all SAML SSO implementations.
👁️ Dark Reading | https://www.darkreading.com/cloud-security/fortinet-firewalls-malicious-configuration-changes
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fortinet-confirms-critical-forticloud-auth-bypass-not-fully-patched/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/23/fortinet_fortigate_patch/
Pwn2Own Automotive Uncovers 76 Zero-Days 🚗
- The Pwn2Own Automotive 2026 competition concluded with security researchers earning over $1 million for exploiting 76 zero-day vulnerabilities in automotive technologies.
- Targets included in-vehicle infotainment (IVI) systems, electric vehicle (EV) chargers, and car operating systems like Automotive Grade Linux.
- Vendors have 90 days to patch these newly disclosed flaws before TrendMicro's Zero Day Initiative publicly releases the details.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-get-1-047-000-for-76-zero-days-at-pwn2own-automotive-2026/
CISA Adds Four Actively Exploited Bugs to KEV 🚨
- CISA has updated its Known Exploited Vulnerabilities (KEV) catalog with four actively exploited flaws impacting enterprise software. Federal Civilian Executive Branch (FCEB) agencies must patch these by February 12, 2026.
- The vulnerabilities include a PHP remote file inclusion in Synacor Zimbra Collaboration Suite (CVE-2025-68645), an authentication bypass in Versa Concerto SD-WAN (CVE-2025-34026), and an improper access control flaw in Vite Vitejs (CVE-2025-31125).
- Also added is CVE-2025-54313, an embedded malicious code vulnerability in `eslint-config-prettier`, stemming from a supply chain attack that hijacked several npm packages to deliver an information stealer.
🚨 The Hacker News | https://thehackernews.com/2026/01/cisa-updates-kev-catalog-with-four.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-confirms-active-exploitation-of-four-enterprise-software-bugs/
Critical Telnetd Auth Bypass Exploited for Root Access 🔓
- A coordinated campaign is exploiting CVE-2026-24061, an 11-year-old critical authentication bypass vulnerability in the GNU InetUtils telnetd server.
- The flaw allows attackers to gain root access by leveraging unsanitized environment variable handling, specifically by setting the USER variable to "-f root" when connecting via telnet.
- While Telnet is a legacy component, its prevalence in industrial, legacy, and embedded devices (IoT/OT) makes this easily exploitable bug a concern, with GreyNoise observing automated and some "human-at-keyboard" exploitation attempts.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-telnetd-auth-bypass-flaw-to-get-root/
Chinese Electric Buses Raise National Security Concerns 🚌
- Australia's government is reviewing whether Chinese-made Yutong electric buses, currently in use in major cities, pose a national security risk due to potential remote control capabilities.
- Research from Oslo's public transport authority found that Yutong maintains an over-the-air (OTA) connection, allowing the manufacturer remote access to the Controller Area Network (CAN) bus, which controls driving systems.
- While no "kill switch" or invasive data collection was explicitly found, the inherent risks of connected IoT devices, coupled with China's national intelligence laws, raise concerns about data exfiltration, surveillance, or broader fleet compromise.
👁️ Dark Reading | https://www.darkreading.com/cyber-risk/chinese-electric-buses-aussie-govt
AI-Powered Cyberattack Kits on the Horizon 🤖
- Google's VP of Security Engineering, Heather Adkins, warns CISOs to prepare for a "really different world" where cybercriminals will reliably automate cyberattacks at scale using AI.
- While currently used for small tasks like phishing copy and C2 development, it's "just a matter of time" before full, end-to-end AI toolkits emerge, potentially leading to a "Metasploit moment" for AI-driven threats.
- This shift could mean attackers gain a significant first-mover advantage, forcing defenders to redefine success not by preventing breaches, but by limiting dwell time and damage, potentially through real-time, AI-enabled defensive disruptions.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/23/ai_cyberattack_google_security/
Microsoft Provided BitLocker Keys to FBI 🔒
- Microsoft reportedly provided the FBI with BitLocker encryption keys to unlock laptops of Windows users charged in a fraud indictment, marking the first publicly known instance of such disclosure.
- By default, Microsoft "typically" backs up BitLocker recovery keys to its servers when the service is set up with an active Microsoft account, giving Redmond access to these keys.
- This highlights a trade-off between data recoverability and privacy, as users who choose to store keys with Microsoft relinquish total control over access to their encrypted data, a stark contrast to Apple's Advanced Data Protection where Apple holds fewer keys.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/23/surrender_as_a_service_microsoft/
Ireland to Legalise Law Enforcement Spyware 🇮🇪
- The Irish government plans to draft legislation to legalise the use of spyware by law enforcement to combat serious crime and security threats.
- The proposed bill would require court authorisation for interception requests and include provisions for electronic scanning equipment to track mobile device identifier data.
- This move aims to strengthen "lawful interception powers" and create a legal basis for "covert surveillance software," with robust safeguards promised to ensure necessity and proportionality.
🗞️ The Record | https://therecord.media/ireland-plans-law-enforcement-spyware
#CyberSecurity #ThreatIntelligence #Vulnerabilities #ActiveExploitation #ZeroDay #Phishing #Vishing #AitM #SocialEngineering #Malware #RMM #SupplyChain #DataPrivacy #Fortinet #CISA #KEV #IoT #AI #NationalSecurity #Geopolitics #InfoSec #CyberAttack #IncidentResponse
The RMM NinjaOne appears to have began a huge email spam campaign across enterprise users over the last month. @ninjaone.com will feel at home on your SEG's block list.
Finally saw something when installing those malicious #RMM #screenconnect (at https://mkaos.alwaysdata\.net/eStatementSsaGov.msi)
https://app.any.run/tasks/399383f4-5ab6-4f53-ab93-09d36c891041
Datto RMM is landing inside DeskDay ⚡
Alerts, devices, and tickets in one place.
Less tab-hopping. More fixing.
Early access is opening soon.
🆕 Introducing the Install Matrix an open source GitHub repo full of PowerShell scripts that help reduce duplicate work making it quick and easy to package apps and reducing overhead when updating them.
Check it out! https://thedxt.ca/2026/01/install-matrix/
A Series of Unfortunate (RMM) Events: https://www.huntress.com/blog/series-of-unfortunate-rmm-events
#RMM Φωτογραφικό αφιέρωμα στο RMM (Racing Motorcycle Museum) https://www.zougla.gr/automoto/moto/fotografiko-afieroma-sto-rmm-racing-motorcycle-museum/?utm_source=dlvr.it&utm_medium=mastodon
#RMM Εγκαίνια του Μουσείου RMM Αγωνιστικής Μοτοσυκλέτας από την FIM https://www.zougla.gr/automoto/moto/egkainia-tou-mouseiou-rmm-agonistikis-motosykletas-apo-tin-fim/?utm_source=dlvr.it&utm_medium=mastodon
🚨 HIGH severity: ConnectWise Automate patched a flaw enabling AiTM update attacks. EU orgs & MSPs at risk of supply chain compromise. Patch immediately, segment RMM, monitor update traffic. No CVE yet. https://radar.offseq.com/threat/connectwise-fixes-automate-bug-allowing-aitm-updat-85668075 #OffSeq #CyberSecurity #RMM #SupplyChain
What if your PSA and RMM were no longer strangers? The DeskDay + NinjaOne integration lets you stop switching tabs or losing alerts and start working as one system. 💜
Want to see it in action? Dive into the full blog here and decide if it’s time to connect your tools. https://deskday.com/deskday-ninjaone-integration/
.
.
.
#deskday #psa #msp #managedservices #rmm #ninjaone #manageditservices #itsupport #ticketing #mspticketing #MSPSolutions #MSP #psaformsp #PSA #helpdeskautomation #helpdesk #servicedesk #ticketing
2025-09-25 (Thursday): I received an email distributing a malicious installer for an #RMM tool.
More info at https://github.com/malware-traffic/indicators/blob/main/2025-09-25-RMM-tool-distributed-through-email.txt
MSPs don’t struggle because of lack of tools. They struggle because tools don’t talk to each other. 😰
That’s where the DeskDay + Level RMM integration changes the game. It’s not just about connecting systems; it’s about building a workflow that finally makes sense for MSPs.
Here’s how the integration helps your team move faster and smarter.
Read the full breakdown here: https://deskday.com/how-deskday-psa-level-rmm-integration-transforms-msp-operations/
#mspticketing #MSPSolutions #MSP #psaformsp #PSA #helpdeskautomation #level
#rmm #psa #psa
🦠 Malware Analysis
===================
🎯 Threat Intelligence
Executive summary: Recent investigations reveal a repeatable campaign where attackers abuse ConnectWise ScreenConnect installers hosted in open directories to distribute AsyncRAT and a custom PowerShell RAT.
The campaign combines trusted RMM footprints, ClickOnce pivots and payload containers that evade signature-based detection.
Technical details:
• Observed payloads include AsyncRAT and a bespoke PowerShell RAT delivered alongside trojanized ScreenConnect installers.
• Infrastructure enumeration identified multiple hosts (examples:
176.65.139.119, 45.74.16.71, 164.68.120.30) and repeated file names such as logs.ldk, logs.idk, logs.idr ranging from ~60 KB to 3 MB.
• Execution techniques show two distinct code paths: in-memory .NET Assembly.Load for AV‑guarded environments and native injection via libPK.dll::Execute otherwise.
• Persistence mechanisms include scheduled tasks named SystemInstallTask and 3losh with aggressive intervals (every 2–10 minutes).
• Network/C2 tradecraft spans common ports (21/80/111/443) and high ephemeral ranges (30,000–60,000), often wrapped in TLS.
🔹 Attack Chain Analysis
• Initial Access / Phishing: ClickOnce pivots (e.g., police.html → galusa.ac.mz → dual.saltuta.com) delivering a launcher from /Bin/ paths.
• Download: Trojanized ScreenConnect installer retrieved from open directory hosting.
• Execution: Dual paths — Assembly.Load into memory or libPK.dll native injection.
• Persistence: Creation of scheduled tasks with short recurrence.
• C2 / Telemetry: AsyncRAT beaconing over standard and ephemeral ports with TLS.
Impact & analysis: Abusing legitimate RMM installers introduces supply‑chain‑like risk; trusted installer footprints lower detection fidelity and enable long dwell times. Fresh or repackaged containers missing from VirusTotal indicate active re‑use and rapid churn.
Detection guidance:
• Monitor for creation of scheduled tasks named SystemInstallTask/3losh and unusual recurrence intervals.
• Alert on processes performing .NET Assembly.Load from nonstandard locations and on native DLLs named libPK.dll performing injection-like behaviors.
• Hunt for open directory listings exposing logs.ldk|logs.idk|logs.idr and ClickOnce /Bin/ URL patterns.
Mitigations:
• Harden RMM deployment processes, restrict installer hosting and validate installer hashes.
• Block or monitor suspicious open directory access and implement strict egress controls for ephemeral port ranges.
• Enforce application allowlisting and endpoint behavioral detections for in-memory assembly loads and DLL injection.
🔹 AsyncRAT #ScreenConnect #ClickOnce #RMM #C2
🔗 Source: https://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns
RMM Tools: The Good, The Bad, and the Quietly Terrifying: https://abcbyd.substack.com/p/rmm-tools-the-good-the-bad-and-the
🚨 Job Seekers, watch out! 🚨 Proofpoint researchers have observed multiple email campaigns impersonating job interview invites from real companies and recruiters.
These emails claim to offer opportunities via Zoom or Teams, but instead lead recipients to install remote management tools (RMM) like SimpleHelp, ScreenConnect, or Atera.
Here's what you need to know:
💻 What’s the threat?
While RMM tools are used legitimately by IT teams, in the hands of cybercriminals, they function like remote access trojans (RATs)—granting attackers full access to your computer, data, and finances.
📬 In one case, a hacked LinkedIn account posted a real job description but swapped in a malicious Gmail address. Proofpoint later discovered this address being used to send fake interview invites to job seekers who had applied.
🔍 How are they doing it?
Threat actors may:
• Create fake job listings to harvest emails
• Hack recruiter inboxes or LinkedIn accounts
• Use lists of stolen email addresses
🎯 This trend is part of a broader wave of cyberattacks where RMM/RAS (remote access software) is used as the initial payload—blending in with normal traffic before launching further attacks like data theft or ransomware.
⚠️ If you're job hunting, stay alert:
• Double-check email sender names and domains
• Be wary of .exe files or suspicious URLs
• If something feels off, trust your instinct
Read more from our threat research team on threats using RMM tools: https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice
Did you know that you can download OpenUEM agent and server from Sourceforge? Don't pass the chance to install an open-source #selfhosted #inventory #uem and #rmm tool. Please, visit https://sourceforge.net/projects/openuem/files/ and https://openuem.eu Thanks @sourceforge
OpenUEM Server 0.7.0 is out. Multi-tenancy is now supported so you can create different organizations and sites. Please, read the release notes before upgrading https://openuem.eu/docs/Release%20Notes/servers#070 #uem #rmm #inventory
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst