Your cart is currently empty!
Detecting Abnormal Usage of Commonly Abused RMM Tools
In my years of experience in cybersecurity and threat intelligence, I’ve observed a worrying trend: the increasing abuse of Remote Monitoring and Management (RMM) tools by cybercriminals.
These tools, designed to facilitate IT support and management tasks, have unfortunately become weapons in the arsenals of ransomware operators and hackers.
Beyond the commonly known RMM tools such as NetSupport, Remote Utilities, ScreenConnect, and AnyDesk, there’s a broader range of software that has been exploited over time.
Today, I’ll delve into this issue, focusing on additional RMM tools like Splashtop, Atera, LogMeIn, TeamViewer, Pulseway, RemotePC, PCAnywhere, Kaseya, and GoToMyPC.
I’ll share insights on detecting abnormal usage and safeguarding against these exploits, drawing from personal experiences and learned lessons.
The Exploitation of RMM Tools by Cybercriminals
RMM tools offer remote access capabilities that are indispensable for IT support, but they also present a tempting target for attackers.
Users can utilize these tools to deploy malware, execute ransomware, and maintain persistent access to victim networks.
The exploitation often begins with social engineering or phishing campaigns to gain initial access. Once inside, attackers deploy these RMM tools as part of their toolkit to control and exploit systems.
Recognizing the Signs of Abuse
The first step in combating the misuse of RMM tools is recognizing the signs of abnormal usage.
Unusual activity can include access at odd hours, frequent connections to unfamiliar devices, or the installation of RMM software without clear authorization.
Monitoring for these signs requires a combination of automated tools and vigilant IT personnel.
| Signs of Abuse | Examples |
|---|---|
| Access at odd hours | User logins outside of regular working hours |
| Unusual login times compared to historical patterns | |
| Authentication events from user accounts associated with non-business hours | |
| Frequent connections to unfamiliar devices | Multiple login attempts from devices not typically associated with the user |
| Concurrent logins from different geographic locations | |
| Unusual device types accessing the network | |
| Installation of RMM software without clear authorization | Records indicating installation of remote management tools by unauthorized users |
| Instances of new software installations not documented by IT | |
| – Elevated privileges granted to users without corresponding approval |
Splashtop and Atera: Emerging Threat Vectors
Splashtop1 and Atera2 have gained popularity for their efficiency and ease of use.
However, I can come with scenario’s in which individuals actively use these tools to circumvent traditional security measures.
For example, attackers might leverage Splashtop’s remote access capabilities to infiltrate networks unnoticed, exploiting weak authentication practices.
Just like Atera, which offers comprehensive IT management features, someone could exploit it to deploy malicious scripts throughout a network.
The Role of LogMeIn, TeamViewer, and Pulseway in Cyber Attacks
LogMeIn, TeamViewer, and Pulseway are well-established names in the remote access space. Their widespread adoption, however, makes them prime targets. Cybercriminals often exploit these tools for lateral movement within networks.
In one instance, I observed how attackers used TeamViewer to move undetected across a network, accessing sensitive information without raising alarms.
This incident highlighted the importance of monitoring for unusual patterns of access and implementing strict access controls.
Kaseya and GoToMyPC: Lessons Learned from High-Profile Breaches
Kaseya3 and GoToMyPC have been involved in high-profile security incidents4, offering valuable lessons on the importance of securing RMM tools.
The Kaseya VSA ransomware attack5, for example, demonstrated how vulnerabilities in RMM software could be exploited to launch widespread ransomware campaigns.
It underscored the necessity of regular software updates and the implementation of robust security measures.
Best Practices for Securing RMM Tools
To mitigate the risks associated with RMM tools, I recommend adopting a multi-layered security approach. This includes:
- Implementing strong authentication mechanisms: Use multi-factor authentication (MFA) wherever possible to add an extra layer of security.
- Regularly updating and patching software: Keep all RMM tools up-to-date to protect against known vulnerabilities.
- Monitoring and logging activity: Establish comprehensive logging and monitoring to detect unusual access patterns or unauthorized installations of RMM software.
- Educating users and staff: Raise awareness about phishing and social engineering tactics that attackers use to gain initial access.
The Power of Proactive Defense
From my own experience, the most effective defense against the misuse of RMM tools is a proactive, rather than reactive, security posture.
This involves not just deploying the right tools, but also fostering a culture of security awareness throughout the organization.
Encourage staff to report suspicious activities and provide them with the training and tools needed to recognize potential threats.
Conclusion
As cybercriminals continue to evolve their tactics, the abuse of RMM tools remains a significant threat to organizations of all sizes.
However, by recognizing the signs of abnormal usage, implementing best practices for security, and fostering a proactive security culture, we can significantly mitigate these risks.
Remember, the best way to protect against the misuse of RMM tools is through vigilance, education, and the strategic application of technology.