An unknown threat actor is abusing a remote management tool called #TiFLUX as an initial access vector, targeting a broad range of potential victims by email. The attacks using this Brasil-originated commercial utility began in February, but really ramped up in April and the beginning of this month.

The lures employ a variety of #spam tropes, including bogus event invitations and business invoices/bills.

TiFLUX seems uniquely vulnerable to this kind of abuse; The installer package also installs an old version of UltraVNC as well as a vulnerable #loldriver that can elevate privileges. Weirdest of all, the attackers are also using this RMM to deploy other heavily-abused RMMs, including #Splashtop and #ScreenConnect to the devices that get hit. Those RMMs are connecting to IP addresses associated with known bulletproof hosts.

This is my first post at the @huntress blog: https://www.huntress.com/blog/tiflux-rmm-install

#malware #RMM #RogueRMM

CVE Alert: CVE-2022-50693 - Splashtop - Splashtop - https://www.redpacketsecurity.com/cve-alert-cve-2022-50693-splashtop-splashtop/

#OSINT #ThreatIntel #CyberSecurity #cve-2022-50693 #splashtop #