Many IT departments have undergone some serious changes over the last couple of years when it comes to support and management of devices and applications. Mobile users, scattered offices and different virtualization solutions make it almost impossible for IT professionals to maintain traditional on-site support.

Spooky Action at a Distance

Some corporations have adopted remote management software to update their IT support models. These tools have made headlines recently, with miscreants building botnets by remotely controlling IoT devices to conduct large-scale, disruptive attacks. It’s critical for IT teams to detect and manage remote management software and devices to protect them from attackers.

Remote management software, sometimes called remote access software, enables users to remotely control a computer. There is a slight difference between pure remote management and remote access. The management part can consist of remote patch management, remote configuration management or monitoring options, for example. In most cases, however, IT professionals refer to remote management as the ability to control a computer from a distance.

Remote management software enables an IT team to:

  • Provide support to a larger customer base;
  • Reduce the overhead costs of traveling;
  • Operate from a central workplace; and
  • Provide support anytime from anyplace with an internet connection.

But these capabilities come at a price. In most cases, remote management software must connect to a client to function. If you are security-conscious, the term “remote control” should almost always raise red flags, as many cybercriminal schemes involve remotely controlling devices.

Dangers of Remote Management Software

Remote management software can put your organization at risk in a variety of ways. To protect your network, it’s essential to be aware of these risks and know how to detect them in your network.

Weak Credentials

Only authorized users with the correct access credentials should be allowed to remotely control a computer. These access credentials are often stored in a central authentication database. It’s critical to use good password policies or certificate management policies for these remotely accessible accounts.

To protect against unauthorized use of remote management software, IT managers should:

  • Require strong password credentials and prompt users to change them frequently;
  • Use two-factor authentication for remote login;
  • Require the regular user’s consent to start a remote management session;
  • Limit access to a group of controlled users;
  • Implement revocation procedures to block accounts or revoke certificates; and
  • Closely monitor activity.

Weak Controls

There is no reason to allow the entire internet to access your remote access tools. Restricting remote access to connections coming from a trusted network will limit fraudsters’ ability to infiltrate your network. IT managers should limit access to remote management from a limited set of network devices, use jump hosts to initiate remote access and monitor network activity.

Vulnerable Applications

Vulnerabilities have plagues several popular remote management tools in the past, enabling miscreants to access systems without having to know the correct credentials. IT managers should regularly update their remote management tools with a proper patch management and vulnerability management program to avoid these vulnerabilities.

Unauthorized Software

The biggest problem with remote access software stems from the tools you don’t control. Sometimes remote branch offices connect to the internet through basic, low-cost routers, for example. Some of these routers actually have built-in remote management capabilities. If configured properly, the remote access feature would only be available from a controlled network.

This is not always the case, however. The Mirai botnet, for example, made use of home routers and Internet of Things (IoT) devices to build a massive botnet that caused several disruptive attacks. Mirai identified vulnerable devices with common, factory-default usernames and passwords to infect devices with Mirai malware. The devices continued to function normally, so many victims were unaware that their devices were being accessed by unauthorized actors.

End users can also install remote access software to remotely access their desktops. Most of this software is installed with good intent. In some cases, cybercriminals install remote management tools as malware to snoop on users’ activities. Some operating systems even have built-in remote access tools that should be disabled when machines are deployed.

To detect unauthorized remote management software, IT managers should:

  • Raise awareness among users about possible security issues;
  • Scan internal networks for unauthorized software;
  • Scan from the public internet;
  • Use software management to detect unauthorized software;
  • White-list applications to prevent unauthorized software;
  • Review outgoing networking flows using intelligence and network information to spot unauthorized remote management flows; and
  • Apply proper firewalling and segmentation.

Incident Response

If you find unauthorized remote access software running on your network, do not panic, and try not to destroy evidence. You might be tempted to disconnect the remote connection, which would prevent you from learning what is really going on. Instead of cutting the connection, try to observe the situation and weigh your options. To bolster your investigation, collaborate with the HR team to collect as much data as possible related to:

  • The source of the connection;
  • The type of software and communication protocol that is being used;
  • The number of users, accounts or devices involved;
  • The time frame of the remote connections; and
  • Possible data leakage.

Try to reroute the remote connection to a host that is under your control. This can be done by reimaging the original target, applying network reroutes or filters or luring the remote user or attacker to another controlled, isolated system. Safeguard all relevant application logs, network captures, memory and disk images of the target system.

With all this information, you should be able to conclude whether remote management software was installed innocuously or if it points to a more serious problem.

More from Application Security

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…