The Download
A new report shows that the tool of choice for hackers and ransomware gangs is the very tool used by Managed Service Providers (MSPs) and IT operations groups to manage endpoints on networks: Remote Monitoring and Management (RMM) tools. RMMs are a foundational tool for MSPs to remotely administer devices on client networks. As useful as they are to IT groups they are even more useful to hackers and ransomware groups.
Hackers are using these tools to disguise their hacking efforts using tools that are legitimate, rather than custom malware code or hacking tools like Cobalt. Because RMM tools allow you to remotely login and run commands like PowerShell scripts, hackers can compromise almost any device on the network and run arbitrary commands of their choosing, all the while under the radar of a legitimate tool.
What you need to know:
Legitimate Tools as Weapons: Attackers are increasingly using legitimate remote management tools like TeamViewer and AnyDesk to infiltrate enterprise networks, making their activities harder to detect.
Bypassing Security: These tools help cybercriminals evade traditional security measures by blending in with authorized IT activity, leading to more successful attacks.
Evolving Threat Landscape: The trend reflects a broader shift in cyberattack strategies, where attackers leverage trusted software to gain persistent access and control over compromised systems.
What You Can Do
It's important to know what RMMs should be running on the network. An adversary will often compromise a machine then install the RMM of their choice, Using ThreatMate endpoint agents, we can identify all software running on endpoints Including RMM agents that do not belong. For your existing RMM, it is important that access control is restricted to authorized users only and that multi-factor authentication is required to login. Finally, ensure your RMM is properly patched so it cannot be exploited.
To Learn More: