You use remote monitoring and management (RMM) software to closely monitor your cyber environment and keep your organization safe. But now cyber criminals are specifically targeting these tools, causing legitimate software to become a vulnerability. This is the latest type of attack in an increase in a recent trend of disruptive software supply chain attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert about the malicious use of legitimate remote monitoring and management (RMM) software. Last fall, cyber criminals targeted organizations with a phishing campaign to download RMM software. While this particular scheme used ScreenConnect (now ConnectWise Control) and AnyDesk RMM tools, organizations should be cautious of other tools in the future as criminals adapt to new software vectors.

Stealing Money and Gaining Access

While actual RMM software is legitimate, last year, criminals used those downloads to steal money in a refund scheme. After coaxing victims to log into their bank accounts, malicious actors then accessed the victim’s banks through the RMM summary. Because the victims saw a fraudulent summary that showed a refund, the criminals convinced them to refund the overpayment. In addition to getting the fraudulent refund, the criminals could now access bank account information as well as the network.

The scheme also used portable executables to gain local accesses, which bypassed the authentication and verification protocols. RMM tools are especially vulnerable to these types of schemes because the self-contained, portable executables give access similar to admin privilege. Once they have access to devices and networks, the criminals can sell victim account access to other cyber criminals or advanced persistent threat (APT) actors.

For most phishing schemes and malicious downloads, anti-virus and anti-malware provide protection. However, RMM software usually flies under the radar of these tools, making the malicious file difficult to detect. Criminals can save themselves time and money by leveraging an existing tool rather than creating custom malware tools. As malicious actors become more efficient, legitimate users suffer.

Additionally, the users of RMM software — managed service providers (MSPs) and IT help desks — make this scheme attractive and lucrative. Once they infiltrate these organizations, they gain access to the MSPs’ customers and can attack even more organizations. As MSPs depend on their customer’s trust, attacks such as these can have significant damage to their reputation and business growth.

Protecting Against Similar Schemes

Because these attacks have been highly successful and have a high potential for damage, organizations should proactively protect against RMM schemes. The CISA recommends the following steps:

  • Focus on blocking phishing emails. By using software and tools, you can reduce the number of phishing schemes that get in front of employees. CISA recommends using protocols like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-Based Message Authentication, Reporting and Conformance (DMARC).
  • Monitor RMM use. Identify all RMM tools on your network and determine if they are authorized. Check logs of all portable executables associated with RMS software to look for any suspicious activity. You should also look for cases where the RMM software is not downloaded but put only into memory. If you suspect malicious RMM software, consider blocking connections at the network perimeter for common ports used by RMM.
  • Provide training. Provide training for employees on general phishing best practices, as well as specifically on RMM download emails.

While the latest scheme targets RMM software, these tools offer many cybersecurity benefits. Instead of discontinuing their use, organizations should be aware of the risks and take precautions. By staying on top of the latest trend for attacks, you can reduce your vulnerabilities to RMM software schemes while still reaping the benefits of these useful tools.

More from News

Spot Fake Extortion Attacks Without Wasting Time and Money

3 min read - Ransomware attacks — the scourge of businesses, schools, hospitals and other organizations — follow a familiar pattern. Shady criminals contact an organization, telling them their company or customer data has been breached, encrypted and/or exfiltrated. Pay us money, or we’ll publish your data. In 2022, some 41% of victims paid, according to cyber-intelligence firm Coveware, rewarding the extortionists for their efforts. (Payment is declining every year, down from 76% in 2019.)That knowledge no doubt inspired lazier, less-skillful scammers into action. In…

3 min read

High-Impact Attacks On Critical Infrastructure Climb 140%

4 min read - Prior to the pandemic, cyber-sabotage attacks on manufacturing plants were non-existent. Today, the situation has changed dramatically. As per a recent report, attacks that led to physical consequences in process manufacturing, discrete manufacturing and critical industrial infrastructures impacted over 150 industrial operations in 2022. In addition, the total number of attacks increased 2.4x over the previous year. At this rate of growth, cyberattacks may shut down up to 15,000 industrial sites within the next five years. Growing Threat to OT…

4 min read

AI Assistance Cuts Alert Triage Times in Half

4 min read - Clearly, ChatGPT has placed artificial intelligence on everyone’s radar these days. But AI in mainstream business applications has been around for decades. In cybersecurity, AI can be used for data augmentation and attack simulation. It can also help detect anomalies in network traffic or user behavior to enhance overall threat detection and response. As per a recent report, one area where AI has made significant strides is in threat alert triage efforts. In fact, with AI assistance, alert triage timelines…

4 min read

Congressman Proposes Act to Improve K-12 Cybersecurity

2 min read - When Iowa Congressman Zach Nunn served on the White House’s National Security Council, he witnessed the dramatic impact of cybersecurity incidents. Nunn became especially concerned about how cybersecurity crimes impact schools and their ability to educate students. He also realized how the growing threats have been making it easier to disrupt not only individual schools but entire school systems. “These are no longer attackers in basements or individuals who intend to do harm for a one-time profit,” Nunn told KGLO…

2 min read