"According to researchers at Huntress, the unknown threat actor is leveraging NetworkLookout's Net Monitor for Employees Professional - which, despite its name, includes remote access tools - and SimpleHelp, a suite of tools commonly used by IT teams and managed service providers for remote monitoring and management. These applications might already be in use in an IT environment, or are downloaded by the attacker once they get network access."
"It offers a lightweight agent, support for gateway redundancy, and ability to operate over common ports. Net Monitor for Employees, whose purpose is to catch employees wasting work time on illegal activity, is used here as a primary remote access channel. To a threat actor, it offers reverse connections over common ports, process and service name masquerading, built-in shell execution, and the ability to silently deploy via standard Windows installation mechanisms."
A threat actor leverages Net Monitor for Employees Professional and SimpleHelp to gain remote control of compromised systems and disguise malicious activity. Net Monitor provides reverse connections over common ports, process and service name masquerading, built-in shell execution, and silent deployment via standard Windows installers. SimpleHelp provides a lightweight agent, gateway redundancy, and operation over common ports, enabling persistent remote management. The attacker used the tools to attempt Crazy ransomware deployment in one case and to search for cryptocurrency-related keywords in another. Initial access came via a vendor's compromised VPN account in at least one incident.
Read at Computerworld
Unable to calculate read time
Collection
[
|
...
]