June 7, 2023 By Jennifer Gregory 3 min read

You use remote monitoring and management (RMM) software to closely monitor your cyber environment and keep your organization safe. But now cyber criminals are specifically targeting these tools, causing legitimate software to become a vulnerability. This is the latest type of attack in an increase in a recent trend of disruptive software supply chain attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert about the malicious use of legitimate remote monitoring and management (RMM) software. Last fall, cyber criminals targeted organizations with a phishing campaign to download RMM software. While this particular scheme used ScreenConnect (now ConnectWise Control) and AnyDesk RMM tools, organizations should be cautious of other tools in the future as criminals adapt to new software vectors.

Stealing money and gaining access

While actual RMM software is legitimate, last year, criminals used those downloads to steal money in a refund scheme. After coaxing victims to log into their bank accounts, malicious actors then accessed the victim’s banks through the RMM summary. Because the victims saw a fraudulent summary that showed a refund, the criminals convinced them to refund the overpayment. In addition to getting the fraudulent refund, the criminals could now access bank account information as well as the network.

The scheme also used portable executables to gain local accesses, which bypassed the authentication and verification protocols. RMM tools are especially vulnerable to these types of schemes because the self-contained, portable executables give access similar to admin privilege. Once they have access to devices and networks, the criminals can sell victim account access to other cyber criminals or advanced persistent threat (APT) actors.

For most phishing schemes and malicious downloads, anti-virus and anti-malware provide protection. However, RMM software usually flies under the radar of these tools, making the malicious file difficult to detect. Criminals can save themselves time and money by leveraging an existing tool rather than creating custom malware tools. As malicious actors become more efficient, legitimate users suffer.

Additionally, the users of RMM software — managed service providers (MSPs) and IT help desks — make this scheme attractive and lucrative. Once they infiltrate these organizations, they gain access to the MSPs’ customers and can attack even more organizations. As MSPs depend on their customer’s trust, attacks such as these can have significant damage to their reputation and business growth.

Protecting against similar schemes

Because these attacks have been highly successful and have a high potential for damage, organizations should proactively protect against RMM schemes. The CISA recommends the following steps:

  • Focus on blocking phishing emails. By using software and tools, you can reduce the number of phishing schemes that get in front of employees. CISA recommends using protocols like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-Based Message Authentication, Reporting and Conformance (DMARC).
  • Monitor RMM use. Identify all RMM tools on your network and determine if they are authorized. Check logs of all portable executables associated with RMS software to look for any suspicious activity. You should also look for cases where the RMM software is not downloaded but put only into memory. If you suspect malicious RMM software, consider blocking connections at the network perimeter for common ports used by RMM.
  • Provide training. Provide training for employees on general phishing best practices, as well as specifically on RMM download emails.

While the latest scheme targets RMM software, these tools offer many cybersecurity benefits. Instead of discontinuing their use, organizations should be aware of the risks and take precautions. By staying on top of the latest trend for attacks, you can reduce your vulnerabilities to RMM software schemes while still reaping the benefits of these useful tools.

More from News

White House mandates stricter cybersecurity for R&D institutions

2 min read - Federal cyber regulation is edging further into research and development (R&D) and higher education. A recent memo from the Office of Science and Technology Policy (OSTP) states that certain covered institutions will be required to implement cybersecurity programs for R&D security. These mandates will also apply to institutions of higher education that support R&D. Beyond strengthening the overall U.S. security posture, this move is also in direct response to growing threats posed by the People's Republic of China (PRC), as…

New memo reveals Biden’s cybersecurity priorities through fiscal year 2026

2 min read - On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026. Key highlights from the FY26 memorandum In the latest annual version…

Hackers are increasingly targeting auto dealers

3 min read - Update as of July 11, 2024 In late June, more than 15,000 car dealerships across North America were affected by a cyberattack on CDK Global, which provides software to car dealers. After two cyberattacks over two days, CDK shut down all systems, which caused delays for car buyers and disruptions for the dealerships. Many dealerships went back to manual processes, including handwriting up orders, so that sales could continue at a slower pace. Car buyers who recently bought a car from…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today