Credential harvesting campaign targets ScreenConnect cloud administrators

A sophisticated credential-harvesting campaign has been targeting ScreenConnect cloud administrators for years and may be opening the door to ransomware attacks, researchers at Mimecast said in a blog post released Monday.

The campaign uses compromised Amazon Simple Email Service accounts to spear-phish senior IT administrators who have elevated privileges in ScreenConnect environments. The hackers are targeting super-administrator credentials, which provide extensive control of companies’ remote-access infrastructure, according to Mimecast researchers.

The phishing pages use adversary-in-the-middle techniques and an open-source tool called EvilGinx, which the researchers said allow the hackers to bypass authentication and maintain persistence. The campaign, which began in 2022, has connections to ransomware activity by affiliates of the Qilin group.

Qilin is a sophisticated ransomware-as-a-service actor linked to multiple high-profile attacks, including one against media giant Lee Enterprises. The group also claimed credit for the attack against Inotiv earlier this month.

For more details, read the full article here: CyberSecurity Dive

---