You use remote monitoring and management (RMM) software to closely monitor your cyber environment and keep your organization safe. But now cyber criminals are specifically targeting these tools, causing legitimate software to become a vulnerability. This is the latest type of attack in an increase in a recent trend of disruptive software supply chain attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert about the malicious use of legitimate remote monitoring and management (RMM) software. Last fall, cyber criminals targeted organizations with a phishing campaign to download RMM software. While this particular scheme used ScreenConnect (now ConnectWise Control) and AnyDesk RMM tools, organizations should be cautious of other tools in the future as criminals adapt to new software vectors.

Stealing money and gaining access

While actual RMM software is legitimate, last year, criminals used those downloads to steal money in a refund scheme. After coaxing victims to log into their bank accounts, malicious actors then accessed the victim’s banks through the RMM summary. Because the victims saw a fraudulent summary that showed a refund, the criminals convinced them to refund the overpayment. In addition to getting the fraudulent refund, the criminals could now access bank account information as well as the network.

The scheme also used portable executables to gain local accesses, which bypassed the authentication and verification protocols. RMM tools are especially vulnerable to these types of schemes because the self-contained, portable executables give access similar to admin privilege. Once they have access to devices and networks, the criminals can sell victim account access to other cyber criminals or advanced persistent threat (APT) actors.

For most phishing schemes and malicious downloads, anti-virus and anti-malware provide protection. However, RMM software usually flies under the radar of these tools, making the malicious file difficult to detect. Criminals can save themselves time and money by leveraging an existing tool rather than creating custom malware tools. As malicious actors become more efficient, legitimate users suffer.

Additionally, the users of RMM software — managed service providers (MSPs) and IT help desks — make this scheme attractive and lucrative. Once they infiltrate these organizations, they gain access to the MSPs’ customers and can attack even more organizations. As MSPs depend on their customer’s trust, attacks such as these can have significant damage to their reputation and business growth.

Protecting against similar schemes

Because these attacks have been highly successful and have a high potential for damage, organizations should proactively protect against RMM schemes. The CISA recommends the following steps:

• Focus on blocking phishing emails. By using software and tools, you can reduce the number of phishing schemes that get in front of employees. CISA recommends using protocols like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-Based Message Authentication, Reporting and Conformance (DMARC).
• Monitor RMM use. Identify all RMM tools on your network and determine if they are authorized. Check logs of all portable executables associated with RMS software to look for any suspicious activity. You should also look for cases where the RMM software is not downloaded but put only into memory. If you suspect malicious RMM software, consider blocking connections at the network perimeter for common ports used by RMM.
• Provide training. Provide training for employees on general phishing best practices, as well as specifically on RMM download emails.

While the latest scheme targets RMM software, these tools offer many cybersecurity benefits. Instead of discontinuing their use, organizations should be aware of the risks and take precautions. By staying on top of the latest trend for attacks, you can reduce your vulnerabilities to RMM software schemes while still reaping the benefits of these useful tools.