June 7, 2023 By Jennifer Gregory 3 min read

You use remote monitoring and management (RMM) software to closely monitor your cyber environment and keep your organization safe. But now cyber criminals are specifically targeting these tools, causing legitimate software to become a vulnerability. This is the latest type of attack in an increase in a recent trend of disruptive software supply chain attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert about the malicious use of legitimate remote monitoring and management (RMM) software. Last fall, cyber criminals targeted organizations with a phishing campaign to download RMM software. While this particular scheme used ScreenConnect (now ConnectWise Control) and AnyDesk RMM tools, organizations should be cautious of other tools in the future as criminals adapt to new software vectors.

Stealing money and gaining access

While actual RMM software is legitimate, last year, criminals used those downloads to steal money in a refund scheme. After coaxing victims to log into their bank accounts, malicious actors then accessed the victim’s banks through the RMM summary. Because the victims saw a fraudulent summary that showed a refund, the criminals convinced them to refund the overpayment. In addition to getting the fraudulent refund, the criminals could now access bank account information as well as the network.

The scheme also used portable executables to gain local accesses, which bypassed the authentication and verification protocols. RMM tools are especially vulnerable to these types of schemes because the self-contained, portable executables give access similar to admin privilege. Once they have access to devices and networks, the criminals can sell victim account access to other cyber criminals or advanced persistent threat (APT) actors.

For most phishing schemes and malicious downloads, anti-virus and anti-malware provide protection. However, RMM software usually flies under the radar of these tools, making the malicious file difficult to detect. Criminals can save themselves time and money by leveraging an existing tool rather than creating custom malware tools. As malicious actors become more efficient, legitimate users suffer.

Additionally, the users of RMM software — managed service providers (MSPs) and IT help desks — make this scheme attractive and lucrative. Once they infiltrate these organizations, they gain access to the MSPs’ customers and can attack even more organizations. As MSPs depend on their customer’s trust, attacks such as these can have significant damage to their reputation and business growth.

Protecting against similar schemes

Because these attacks have been highly successful and have a high potential for damage, organizations should proactively protect against RMM schemes. The CISA recommends the following steps:

  • Focus on blocking phishing emails. By using software and tools, you can reduce the number of phishing schemes that get in front of employees. CISA recommends using protocols like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-Based Message Authentication, Reporting and Conformance (DMARC).
  • Monitor RMM use. Identify all RMM tools on your network and determine if they are authorized. Check logs of all portable executables associated with RMS software to look for any suspicious activity. You should also look for cases where the RMM software is not downloaded but put only into memory. If you suspect malicious RMM software, consider blocking connections at the network perimeter for common ports used by RMM.
  • Provide training. Provide training for employees on general phishing best practices, as well as specifically on RMM download emails.

While the latest scheme targets RMM software, these tools offer many cybersecurity benefits. Instead of discontinuing their use, organizations should be aware of the risks and take precautions. By staying on top of the latest trend for attacks, you can reduce your vulnerabilities to RMM software schemes while still reaping the benefits of these useful tools.

More from News

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally.The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets.Who is exploiting the NGFW zero-day?As of now, little is known about the actors behind the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today