ScreenConnect Super Admin Credential Harvesting
Summary:
Mimecast Threat Research has uncovered an ongoing spear-phishing operation, MCTO3030, that has been active since 2022 and is notable for its persistence and careful operational security. Unlike large-scale phishing blasts, this campaign runs in low volumes of up to 1,000 emails per wave, which allows it to avoid widespread detection and remain under the radar. The primary targets are senior IT professionals, administrators, and security personnel with super administrator privileges in ScreenConnect environments, since these accounts provide the highest level of access to remote management infrastructure across an organization. The attackers deliver phishing emails through Amazon Simple Email Service accounts, which are either compromised or obtained from underground markets. Because SES is a trusted platform with high deliverability, it helps the adversaries bypass traditional email security controls. The phishing lures impersonate ScreenConnect security alerts, such as suspicious login activity from unusual IP addresses. Victims who click the embedded “Review Security” button are redirected to spoofed ScreenConnect login portals hosted on domains that mimic legitimate services, often using country code top-level domains and ScreenConnect-themed naming conventions.
Security Officer Comments:
The campaign’s longevity and consistency demonstrate a successful operational model. The threat actors maintain a steady infrastructure, regularly rotate domains, and continue to refine their tactics, techniques, and procedures. Their choice of targets makes the risk especially severe, compromising even a single ScreenConnect super admin account can provide attackers with broad, centralized control over enterprise systems, drastically reducing the time needed to launch ransomware attacks or deploy other malicious tools.
Suggested Corrections:
Mimecast researchers recommend the following mitigations:
User Awareness Training
Technical Security Controls
Proactive Threat Hunting
Email Security Enhancement
https://www.mimecast.com/threat-intelligence-hub/screenconnect-super-admin-credential/
Mimecast Threat Research has uncovered an ongoing spear-phishing operation, MCTO3030, that has been active since 2022 and is notable for its persistence and careful operational security. Unlike large-scale phishing blasts, this campaign runs in low volumes of up to 1,000 emails per wave, which allows it to avoid widespread detection and remain under the radar. The primary targets are senior IT professionals, administrators, and security personnel with super administrator privileges in ScreenConnect environments, since these accounts provide the highest level of access to remote management infrastructure across an organization. The attackers deliver phishing emails through Amazon Simple Email Service accounts, which are either compromised or obtained from underground markets. Because SES is a trusted platform with high deliverability, it helps the adversaries bypass traditional email security controls. The phishing lures impersonate ScreenConnect security alerts, such as suspicious login activity from unusual IP addresses. Victims who click the embedded “Review Security” button are redirected to spoofed ScreenConnect login portals hosted on domains that mimic legitimate services, often using country code top-level domains and ScreenConnect-themed naming conventions.
Security Officer Comments:
The campaign’s longevity and consistency demonstrate a successful operational model. The threat actors maintain a steady infrastructure, regularly rotate domains, and continue to refine their tactics, techniques, and procedures. Their choice of targets makes the risk especially severe, compromising even a single ScreenConnect super admin account can provide attackers with broad, centralized control over enterprise systems, drastically reducing the time needed to launch ransomware attacks or deploy other malicious tools.
Suggested Corrections:
Mimecast researchers recommend the following mitigations:
User Awareness Training
- Conduct targeted training for IT staff on ScreenConnect-themed phishing campaigns
- Educate users about AITM phishing techniques that can bypass traditional MFA
- Implement regular phishing simulations incorporating ScreenConnect login scenarios
Technical Security Controls
- Deploy conditional access policies restricting ScreenConnect admin access to organization-managed devices
- Implement phishing-resistant MFA methods such as FIDO2/WebAuthn for ScreenConnect accounts
- Enable comprehensive logging for ScreenConnect authentication events and admin activities
- Monitor for unusual admin activities, including new client deployments or configuration changes
Proactive Threat Hunting
- Search email logs for domains matching the IOC list or mentioning ScreenConnect or ConnectWise
- Monitor for authentication attempts to ScreenConnect instances from unexpected IP ranges or geographic locations
- Hunt for domains following the country code TLD patterns associated with this campaign
- Review ScreenConnect admin audit logs for unauthorized changes or suspicious client deployments
Email Security Enhancement
- Identify Amazon SES usage within the organization and from supplier chain to determine if messages should be accepted at the agteway.
- Implement advanced URL protection to identify and block AITM phishing infrastructure
- Consider additional scrunity for emails claiming security incidents or login anomalies
https://www.mimecast.com/threat-intelligence-hub/screenconnect-super-admin-credential/