June 7, 2023 By Jennifer Gregory 3 min read

You use remote monitoring and management (RMM) software to closely monitor your cyber environment and keep your organization safe. But now cyber criminals are specifically targeting these tools, causing legitimate software to become a vulnerability. This is the latest type of attack in an increase in a recent trend of disruptive software supply chain attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert about the malicious use of legitimate remote monitoring and management (RMM) software. Last fall, cyber criminals targeted organizations with a phishing campaign to download RMM software. While this particular scheme used ScreenConnect (now ConnectWise Control) and AnyDesk RMM tools, organizations should be cautious of other tools in the future as criminals adapt to new software vectors.

Stealing money and gaining access

While actual RMM software is legitimate, last year, criminals used those downloads to steal money in a refund scheme. After coaxing victims to log into their bank accounts, malicious actors then accessed the victim’s banks through the RMM summary. Because the victims saw a fraudulent summary that showed a refund, the criminals convinced them to refund the overpayment. In addition to getting the fraudulent refund, the criminals could now access bank account information as well as the network.

The scheme also used portable executables to gain local accesses, which bypassed the authentication and verification protocols. RMM tools are especially vulnerable to these types of schemes because the self-contained, portable executables give access similar to admin privilege. Once they have access to devices and networks, the criminals can sell victim account access to other cyber criminals or advanced persistent threat (APT) actors.

For most phishing schemes and malicious downloads, anti-virus and anti-malware provide protection. However, RMM software usually flies under the radar of these tools, making the malicious file difficult to detect. Criminals can save themselves time and money by leveraging an existing tool rather than creating custom malware tools. As malicious actors become more efficient, legitimate users suffer.

Additionally, the users of RMM software — managed service providers (MSPs) and IT help desks — make this scheme attractive and lucrative. Once they infiltrate these organizations, they gain access to the MSPs’ customers and can attack even more organizations. As MSPs depend on their customer’s trust, attacks such as these can have significant damage to their reputation and business growth.

Protecting against similar schemes

Because these attacks have been highly successful and have a high potential for damage, organizations should proactively protect against RMM schemes. The CISA recommends the following steps:

  • Focus on blocking phishing emails. By using software and tools, you can reduce the number of phishing schemes that get in front of employees. CISA recommends using protocols like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-Based Message Authentication, Reporting and Conformance (DMARC).
  • Monitor RMM use. Identify all RMM tools on your network and determine if they are authorized. Check logs of all portable executables associated with RMS software to look for any suspicious activity. You should also look for cases where the RMM software is not downloaded but put only into memory. If you suspect malicious RMM software, consider blocking connections at the network perimeter for common ports used by RMM.
  • Provide training. Provide training for employees on general phishing best practices, as well as specifically on RMM download emails.

While the latest scheme targets RMM software, these tools offer many cybersecurity benefits. Instead of discontinuing their use, organizations should be aware of the risks and take precautions. By staying on top of the latest trend for attacks, you can reduce your vulnerabilities to RMM software schemes while still reaping the benefits of these useful tools.

More from News

What is the Open-Source Software Security Initiative (OS3I)?

3 min read - The Open-Source Software Security Initiative (OS3I) recently released Securing the Open-Source Software Ecosystem report, which details the members’ current priorities and recommended cybersecurity solutions. The accompanying fact sheet also provides the highlights of the report. The OS3I includes both federal departments and agencies working together to deliver policy solutions to secure and defend the ecosystem. The new initiative is part of the overall National Cybersecurity Strategy. After the Log4Shell vulnerability in 2021, the Biden-Harris administration committed to improving the security…

Europe’s Cyber Resilience Act: Redefining open source

3 min read - Amid an increasingly complex threat landscape, we find ourselves at a crossroads where law, technology and community converge. As such, cyber resilience is more crucial than ever. At its heart, cyber resilience means maintaining a robust security posture despite adverse cyber events and being able to anticipate, withstand, recover from and adapt to such incidents. While new data privacy and protection regulations like GDPR, HIPAA and CCPA are being introduced more frequently than ever, did you know that there is new…

Feds release urgent guidance for U.S. water sector

3 min read - The water and wastewater sector (WWS) faces cybersecurity challenges that leave it wide open to attacks. In response, the CISA, EPA and FBI recently released joint guidance to the sector, citing variable cyber maturity levels and potential cybersecurity solutions. The new Incident Response Guide (IRG) provides the water sector with information about the federal roles, resources and responsibilities for each stage of the cyber incident response lifecycle. Sector owners and operators can use this information to augment their incident response…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today