ScreenConnect Admins Alerted to Spoofed Login Attacks
â–Ľ Summary
– ScreenConnect cloud administrators are targeted with fake email alerts aiming to steal Super Admin login credentials and MFA tokens.
– Attackers use Amazon SES to send spear-phishing emails to senior IT professionals with elevated ScreenConnect privileges.
– The phishing campaign employs the EvilGinx framework to create fake login portals that capture credentials and bypass MFA.
– This activity is linked to ransomware operations, as harvested credentials enable rapid lateral movement and ransomware deployment across multiple endpoints.
– Organizations should train IT staff, deploy conditional access policies, implement phishing-resistant MFA, and monitor for unusual admin activities.
ScreenConnect cloud administrators are currently facing a sophisticated phishing campaign designed to steal their login credentials and multi-factor authentication tokens. This targeted attack aims to compromise Super Admin accounts, granting threat actors complete control over organizational ScreenConnect deployments and creating significant security risks.
The campaign employs carefully crafted emails that mimic legitimate ScreenConnect security alerts, sent through Amazon’s Simple Email Service to senior IT staff with elevated system privileges. These messages appear authentic, leveraging ConnectWise branding to deceive recipients into believing they are responding to a real security notification.
Attackers are using the EvilGinx framework to create convincing phishing portals that mirror actual ScreenConnect login pages. This open-source tool acts as a reverse proxy, intercepting user inputs and capturing not only usernames and passwords but also session cookies. By harvesting these cookies, threat actors can bypass multi-factor authentication protections, gaining persistent access to compromised accounts.
Security researchers have linked this campaign to ransomware operations, noting that stolen Super Admin credentials allow attackers to push malicious ScreenConnect clients across multiple endpoints simultaneously. This capability enables rapid lateral movement within networks and facilitates widespread ransomware deployment. Managed service providers represent a particularly attractive target, as breaching their systems can provide access to numerous client organizations.
To defend against these threats, organizations should provide specialized training to IT staff focused on identifying ScreenConnect-themed phishing attempts. Implementing conditional access policies that restrict admin logins to organization-managed devices adds a critical layer of protection. Additionally, adopting phishing-resistant multi-factor authentication methods helps safeguard accounts even if credentials are compromised.
Enabling detailed logging for authentication events and administrative activities allows security teams to detect unusual behavior, such as unexpected client deployments or configuration modifications. Continuous monitoring and prompt investigation of suspicious admin actions can help identify breaches before they escalate into full-scale ransomware incidents.
Staying informed through reliable cybersecurity news sources ensures that organizations remain aware of emerging threats and can adapt their defenses accordingly. Proactive security measures and ongoing staff education are essential in mitigating risks associated with these increasingly sophisticated phishing campaigns.
(Source: HelpNet Security)
