Remote monitoring and management (RMM) software plays an essential role in many IT departments. With appropriate controls, an RMM solution enables teams to proactively monitor their systems, resolve issues, and handle other tasks — but RMMs can also introduce significant security issues.
On Sept. 19, 2023, researchers at security services provider eSentire published evidence that the LockBit ransomware gang has utilized vulnerable RMMs to spread ransomware to targets.
The report notes several legitimate RMM tools that the ransomware group has allegedly used:
- Advanced IP Scanner
- AnyDesk
- Atera
- ConnectWise
This doesn’t necessarily indicate specific vulnerabilities with any of the RMM solutions listed above. The LockBit group’s modus operandi is to gain authentic, legitimate security credentials, typically through phishing and social engineering.
Once the attackers gain access to a system, they can distribute ransomware — and potentially monitor the victim’s attempts to resolve the attack.
RMMs present a novel challenge for traditional security controls.
Ransomware is often distributed as custom malware, but this approach has problems (from the attacker’s point of view).
Malware, by definition, is detectable. Antivirus software and endpoint technology can eliminate infections before encryption occurs, foiling ransomware groups prior to execution.
But RMMs provide bad actors with everything they need to subvert most security controls. Antivirus software can be disabled before the payload is delivered.
And since users have no indication of the threat, the payload can lay dormant for a longer period of time prior to activation — infecting backup systems and limiting options for disaster recovery.
When using RMMs, IT teams must follow CISA best practices.
LockBit and other ransomware groups are prioritizing RMMs as potential attack vectors. Gaining legitimate credentials to high-security systems is often a straightforward process: Bad actors can execute brute-force attacks, purchase credentials off the dark web, or simply call and ask (allegedly, this is what happened during MGM’s recent breach).
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has published an advisory, which urges organizations to use appropriate RMMs security controls. The full CISA report is essential reading for IT administrations.
CISA advises caution when using RMMs. Some general tips:
- Educate your entire organization. Explain how typical social engineering methods work, with special emphasis on how credentials are compromised.
- Limit administrative access. Limit (and monitor) credentials for RMMs.
- Regularly update passwords. Choose passwords that are resistant to brute-force attacks and other password attack methods.
- Keep RMM software updated. Review logs regularly to detect abnormal use of portable executables.
- Utilize application controls to manage and control execution of software.
- Audit remote access tools to clearly identify current/authorized RMM software.
- Block inbound/outbound connections on common RMM ports and protocols at the network perimeter.
Every organization that uses an RMM solution is a potential target — and since RMMs allow for a convenient backdoor that does not require custom malware, we expect this attack vector to become more common over the next several years.
Datarecovery.com provides a full range of ransomware recovery, prevention, and mitigation services. From penetration (PEN) testing to data recovery, we can help your organization fight back against bad actors, monitor the dark web for potential threats, and implement appropriate security controls to limit the potential of future attacks.
To learn more, call 1-800-237-4200 to speak with an expert or submit a case online.
