Understanding the Risks of Remote Monitoring and Management (RMM) Tools

Background

Remote Monitoring and Management (RMM) tools have become indispensable for businesses and IT service providers, enabling the seamless management and oversight of IT systems, networks, and endpoints. However, with this convenience comes a set of risks that can have far-reaching consequences if not adequately managed. In this article, we will delve into the potential risks associated with RMM tools and the strategies to mitigate them.

Introduction

In October 2022, a significant cyber intrusion unfolded, initially facilitated through a Remote Monitoring and Management (RMM) tool. This breach culminated in a problematic deployment of Hive ransomware, resulting in severe repercussions. The attack commenced with the delivery of a concealed executable, likely disseminated via email, which, upon activation, triggered a download. Following execution, ScreenConnect was installed, contingent on the user having local Administrator privileges. The threat actor proceeded to employ ScreenConnect for various activities, encompassing the use of Windows utility tools and the deployment of a Cobalt Strike beacon. Subsequent actions entailed lateral movement, additional binary downloads, and the introduction of malicious software onto multiple servers.

On the subsequent day, the threat actor escalated their activities, including data extraction and Remote Desktop Protocol (RDP) access. They introduced Rclone for data exfiltration and conducted network scans, with a specific focus on RDP services. Approximately three hours later, the threat actor executed the Hive ransomware by altering an administrator’s password and manually initiating the ransomware on key servers. An endeavor to execute it across the entire domain via a Group Policy Object (GPO) failed due to errors. Nevertheless, key servers were successfully encrypted, and the entire operation, spanning from initial access to ransomware deployment, transpired over 61 hours.

Moreover, the LockBit gang, connected to Russia, has been detected exploiting Remote Monitoring and Management (RMM) tools. Recent incidents involve LockBit targeting a Managed Service Provider (MSP) and two manufacturing companies, either compromising their RMM tools or deploying their own for the distribution of ransomware. LockBit employs a range of strategies for initial access, including browser-based attacks and the exploitation of vulnerabilities in servers. They operate with a transparent affiliate model, focusing primarily on financial gains.

The Power and Pitfalls of RMM Tools

RMM tools are a double-edged sword. On one hand, they offer the ability to remotely access, monitor, and manage IT infrastructure from virtually anywhere, using commonly employed tools such as Atera, TeamViewer, SolarWinds RMM, and Kaseya VSA. This makes it easier to troubleshoot issues, apply updates, and maintain system health without the need for physical presence. However, these very capabilities can be exploited if not properly secured.

1. Security Vulnerabilities:

RMM tools often have access to sensitive areas of a network, making them an attractive target for cybercriminals. If not kept up to date or configured correctly, these tools can become an entry point for malicious actors. Vulnerabilities in RMM software can lead to unauthorized access, data breaches, and even ransomware attacks.

2. Credential Mismanagement:

RMM tools typically require credentials for access. If these credentials are not adequately protected and managed, they can be stolen or compromised, allowing attackers to gain unauthorized control over the entire IT environment.

3. Insider Threats:

While RMM tools are essential for managing remote endpoints, they can also pose risks if abused by insiders. Malicious employees or contractors with access to these tools can intentionally cause harm, leading to data leaks or system disruptions.

4. Compliance and Privacy Concerns:

Many industries are subject to strict regulatory compliance standards, such as GDPR or HIPAA. RMM tools may inadvertently collect and store sensitive data, raising privacy concerns and potential violations of these standards if not configured properly.

Mitigation

1. Enforce Two-Factor Authentication: Implement two-factor authentication for all RMM access, VPNs, and critical software systems.

2. Use Strong and Unique Passwords: Ensure that robust and unique passwords are employed for RMM accounts and other essential system accounts.

3. Access Control Lists (ACLs): Implement ACLs for trusted IPs and encourage end customers to connect via VPN when roaming.

4. Client SSL Certificates: Consider requiring client SSL certificates before granting access to RMM systems.

5. Be Cautious with Job Offerings: Avoid divulging explicit details about your software stack in public-facing job offerings, which threat actors could exploit for targeted phishing.

6. Employee Training: Educate employees with RMM access to scrutinize communications from RMM service providers.

7. 24/7 MDR Protection: Ensure that your organization’s IT environment, including network, endpoints, and logs, are safeguarded by a 24/7 MDR solution.

8. Patch and Update Regularly: Regularly update and patch software applications, operating systems, and third-party tools to mitigate vulnerabilities.

9. Client Education: Collaborate with clients to emphasize the importance of cybersecurity and develop security policies and guidelines for their employees.

Conclusion

Remote Monitoring and Management tools offer significant benefits in terms of IT efficiency and productivity. However, their potential risks should not be underestimated. Properly securing these tools and adopting a comprehensive security strategy is imperative to harness the benefits of RMM tools while mitigating the associated risks. As the threat landscape evolves, so must our cybersecurity practices to protect the heart of our organizations’ IT infrastructure.

The intrusion from October 2022 represents a complex and multifaceted cyberattack. It began with a deceptive email-based delivery of a disguised executable and involved the use of various tools, techniques, and lateral movement strategies by the threat actor. While the ransomware deployment was ultimately unsuccessful at a domain-wide level, it highlights the evolving and persistent nature of cyber threats, emphasizing the importance of robust cybersecurity measures and proactive threat detection and response mechanisms.

__________________________________________________________________________

CRITICALSTART® offers a pioneering solution to modern organizational challenges in aligning cyber protection with risk appetite through its Cyber Operations Risk & Response™ platform, award-winning Managed Detection and Response (MDR) services, and a dedicated human-led risk and security team. By providing continuous monitoring, mitigation, maturity assessments, and comprehensive threat intelligence research, they enable businesses to proactively protect critical assets with measurable ROI. Critical Start’s comprehensive approach allows organizations to achieve the highest level of cyber risk reduction for every dollar invested, aligning with their desired levels of risk tolerance.

References

1. https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/

2. https://www.msspalert.com/news/esentire-warns-service-providers-of-lockbit-attacks-on-rmm-tools


You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form