Close Menu
Cybercrime and Ransomware

New Attack Targets ScreenConnect Cloud Administrators to Steal Login Credentials

Staff WriterBy No Comments3 Mins Read3 Views

Fast Facts

  1. A sophisticated spear phishing campaign, MCTO3030, has targeted ScreenConnect cloud admins since 2022, using low-volume email strategies and convincing domains to evade detection.
  2. Attackers exploit Amazon SES to send authentic-looking phishing emails, prompting victims to click “Review Security,” which leads to impersonation sites mimicking legitimate ScreenConnect login pages.
  3. The campaign employs advanced adversary-in-the-middle techniques with EvilGinx, intercepting credentials and MFA tokens in real-time, allowing persistent access despite multi-factor authentication defenses.
  4. Harvested super admin credentials serve as entry points for subsequent ransomware attacks, notably linked to Qilin ransomware, facilitating widespread malicious deployment across multiple endpoints.

What’s the Problem?

A highly advanced phishing campaign, known as MCTO3030, has been targeting high-level ScreenConnect cloud administrators since 2022, aiming to steal their super administrator credentials. This operation employs carefully crafted spear phishing emails sent through Amazon Simple Email Service, leveraging trusted cloud infrastructure to bypass email defenses. The emails falsely alert recipients about suspicious login activity, cleverly urging immediate action, and leading them to sophisticated fake login pages that imitate legitimate ScreenConnect portals. The attackers use domain names that resemble official ones, such as connectwise.com.ar, to instill credibility. Once a victim interacts with these fake pages, their login details—including multi-factor authentication codes captured via the EvilGinx framework—are intercepted in real-time, granting attackers persistent access. This stolen access is then exploited to distribute ransomware—specifically Qilin ransomware—foisting malicious clients across multiple endpoints, thereby compromising organizations’ critical systems. The campaign’s technical complexity and strategic use of cloud infrastructure reveal a deliberate effort to remain undetected and enable sustained, damaging cyberattacks.

Risk Summary

A highly sophisticated spear-phishing campaign, dubbed MCTO3030, has been targeting ScreenConnect cloud administrators since 2022, primarily focusing on senior IT staff with elevated privileges. Employing low-volume but highly targeted email campaigns via Amazon SES, attackers craft convincing messages—claiming suspicious login activity from unusual locations—to prompt urgent actions. The campaign’s technical prowess is exemplified by its use of advanced adversary-in-the-middle techniques with the EvilGinx framework, enabling real-time interception of login credentials and MFA tokens while bypassing modern authentication defenses. Harvested super administrator credentials serve as initial footholds, allowing attackers to deploy ransomware by pushing malicious ScreenConnect clients across multiple endpoints. The attackers also enhance credibility through convincingly impersonated domains using country-specific top-level domains that resemble legitimate ConnectWise portals. This persistent threat underscores significant cybersecurity risks, as compromised credentials can facilitate widespread ransomware infections, disrupt operations, and compromise sensitive data, highlighting the need for enhanced detection and defense strategies against such high-level, strategically operated threats.

Possible Remediation Steps

Prompt remediation is vital when facing emerging cyber threats like the new attack targeting ScreenConnect Cloud administrators, as swift actions help prevent potential breaches and protect sensitive login credentials from malicious actors.

Mitigation Strategies

  • Implement multi-factor authentication (MFA) to add an additional security layer.
  • Regularly update and patch the ScreenConnect platform to fix known vulnerabilities.
  • Enforce strong, unique passwords for administrator accounts.
  • Conduct security awareness training tailored to identify phishing and social engineering tactics.

Remediation Actions

  • Immediately reset compromised credentials and notify affected administrators.
  • Monitor system logs intensely for suspicious or unauthorized activities.
  • Isolate affected accounts or systems to contain potential breaches.
  • Perform comprehensive security audits and vulnerability assessments to identify and rectify weaknesses.
  • Engage with cybersecurity professionals for advanced threat analysis and tailored response plans.

Advance Your Cyber Knowledge

Stay informed on the latest Threat Intelligence and Cyberattacks.

Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.