Hackers abuse UltraVNC, Splashtop, and ScreenConnect to hijack business PCs

• Huntress uncovered a phishing campaign delivering legitimate RMM tools (Tiflux, UltraVNC, Splashtop, ScreenConnect) to gain persistence and exfiltrate business data
• Attackers lure victims with fake “Network Solutions” service agreement emails, then abuse a vulnerable driver (HwRwDrv.x64) for privilege escalation
• Evidence points to Brazilian infrastructure and targets, with defenses hinging on strict RMM auditing, asset inventories, and log reviews against LOLRMM databases

Cybercriminals are abusing a whole swathe of legitimate programs, including Tiflux, UltraVNC, Splashtop, and ScreenConnect to take control of business computers, establish persistence, and continuously exfiltrate sensitive data. This is according to security researchers Huntress, who detailed the new campaign in an in-depth research paper.

The attack starts with a carefully crafted phishing email, usually themed around an “updated Service Agreement from Network Solutions”. The email claims that Network Solutions has modified its pricing statements and services and instructs the target to visit a page where they can review...

Copyright of this story solely belongs to techradar.com. To see the full text click HERE