Don’t Let Remote Management Software Contribute to Building Botnets

January 11, 2017
| |
4 min read

Many IT departments have undergone some serious changes over the last couple of years when it comes to support and management of devices and applications. Mobile users, scattered offices and different virtualization solutions make it almost impossible for IT professionals to maintain traditional on-site support.

Spooky Action at a Distance

Some corporations have adopted remote management software to update their IT support models. These tools have made headlines recently, with miscreants building botnets by remotely controlling IoT devices to conduct large-scale, disruptive attacks. It’s critical for IT teams to detect and manage remote management software and devices to protect them from attackers.

Remote management software, sometimes called remote access software, enables users to remotely control a computer. There is a slight difference between pure remote management and remote access. The management part can consist of remote patch management, remote configuration management or monitoring options, for example. In most cases, however, IT professionals refer to remote management as the ability to control a computer from a distance.

Remote management software enables an IT team to:

  • Provide support to a larger customer base;
  • Reduce the overhead costs of traveling;
  • Operate from a central workplace; and
  • Provide support anytime from anyplace with an internet connection.

But these capabilities come at a price. In most cases, remote management software must connect to a client to function. If you are security-conscious, the term “remote control” should almost always raise red flags, as many cybercriminal schemes involve remotely controlling devices.

Dangers of Remote Management Software

Remote management software can put your organization at risk in a variety of ways. To protect your network, it’s essential to be aware of these risks and know how to detect them in your network.

Weak Credentials

Only authorized users with the correct access credentials should be allowed to remotely control a computer. These access credentials are often stored in a central authentication database. It’s critical to use good password policies or certificate management policies for these remotely accessible accounts.

To protect against unauthorized use of remote management software, IT managers should:

  • Require strong password credentials and prompt users to change them frequently;
  • Use two-factor authentication for remote login;
  • Require the regular user’s consent to start a remote management session;
  • Limit access to a group of controlled users;
  • Implement revocation procedures to block accounts or revoke certificates; and
  • Closely monitor activity.

Weak Controls

There is no reason to allow the entire internet to access your remote access tools. Restricting remote access to connections coming from a trusted network will limit fraudsters’ ability to infiltrate your network. IT managers should limit access to remote management from a limited set of network devices, use jump hosts to initiate remote access and monitor network activity.

Vulnerable Applications

Vulnerabilities have plagues several popular remote management tools in the past, enabling miscreants to access systems without having to know the correct credentials. IT managers should regularly update their remote management tools with a proper patch management and vulnerability management program to avoid these vulnerabilities.

Unauthorized Software

The biggest problem with remote access software stems from the tools you don’t control. Sometimes remote branch offices connect to the internet through basic, low-cost routers, for example. Some of these routers actually have built-in remote management capabilities. If configured properly, the remote access feature would only be available from a controlled network.

This is not always the case, however. The Mirai botnet, for example, made use of home routers and Internet of Things (IoT) devices to build a massive botnet that caused several disruptive attacks. Mirai identified vulnerable devices with common, factory-default usernames and passwords to infect devices with Mirai malware. The devices continued to function normally, so many victims were unaware that their devices were being accessed by unauthorized actors.

End users can also install remote access software to remotely access their desktops. Most of this software is installed with good intent. In some cases, cybercriminals install remote management tools as malware to snoop on users’ activities. Some operating systems even have built-in remote access tools that should be disabled when machines are deployed.

To detect unauthorized remote management software, IT managers should:

  • Raise awareness among users about possible security issues;
  • Scan internal networks for unauthorized software;
  • Scan from the public internet;
  • Use software management to detect unauthorized software;
  • White-list applications to prevent unauthorized software;
  • Review outgoing networking flows using intelligence and network information to spot unauthorized remote management flows; and
  • Apply proper firewalling and segmentation.

Incident Response

If you find unauthorized remote access software running on your network, do not panic, and try not to destroy evidence. You might be tempted to disconnect the remote connection, which would prevent you from learning what is really going on. Instead of cutting the connection, try to observe the situation and weigh your options. To bolster your investigation, collaborate with the HR team to collect as much data as possible related to:

  • The source of the connection;
  • The type of software and communication protocol that is being used;
  • The number of users, accounts or devices involved;
  • The time frame of the remote connections; and
  • Possible data leakage.

Try to reroute the remote connection to a host that is under your control. This can be done by reimaging the original target, applying network reroutes or filters or luring the remote user or attacker to another controlled, isolated system. Safeguard all relevant application logs, network captures, memory and disk images of the target system.

With all this information, you should be able to conclude whether remote management software was installed innocuously or if it points to a more serious problem.

Koen Van Impe
Security Analyst

Koen Van Impe is a security analyst who worked at the Belgian national CSIRT and is now an independent security researcher. He has a twitter feed (@cudes...
read more