Detecting Abnormal Usage of Commonly Abused RMM Tools

Detecting Abnormal Usage of Commonly Abused RMM Tools

Written by

— in

ThreatIntelligenceLab.com

In my years of experience in cybersecurity and threat intelligence, I’ve observed a worrying trend: the increasing abuse of Remote Monitoring and Management (RMM) tools by cybercriminals.

These tools, designed to facilitate IT support and management tasks, have unfortunately become weapons in the arsenals of ransomware operators and hackers.

Beyond the commonly known RMM tools such as NetSupport, Remote Utilities, ScreenConnect, and AnyDesk, there’s a broader range of software that has been exploited over time.

Today, I’ll delve into this issue, focusing on additional RMM tools like Splashtop, Atera, LogMeIn, TeamViewer, Pulseway, RemotePC, PCAnywhere, Kaseya, and GoToMyPC.

I’ll share insights on detecting abnormal usage and safeguarding against these exploits, drawing from personal experiences and learned lessons.

The Exploitation of RMM Tools by Cybercriminals

RMM tools offer remote access capabilities that are indispensable for IT support, but they also present a tempting target for attackers.

Users can utilize these tools to deploy malware, execute ransomware, and maintain persistent access to victim networks.

The exploitation often begins with social engineering or phishing campaigns to gain initial access. Once inside, attackers deploy these RMM tools as part of their toolkit to control and exploit systems.

The Exploitation of RMM Tools by Cybercriminals
The Exploitation of RMM Tools by Cybercriminals

Recognizing the Signs of Abuse

The first step in combating the misuse of RMM tools is recognizing the signs of abnormal usage.

Unusual activity can include access at odd hours, frequent connections to unfamiliar devices, or the installation of RMM software without clear authorization.

Monitoring for these signs requires a combination of automated tools and vigilant IT personnel.

Signs of AbuseExamples
Access at odd hoursUser logins outside of regular working hours
Unusual login times compared to historical patterns
Authentication events from user accounts associated with non-business hours
Frequent connections to unfamiliar devicesMultiple login attempts from devices not typically associated with the user
Concurrent logins from different geographic locations
Unusual device types accessing the network
Installation of RMM software without clear authorizationRecords indicating installation of remote management tools by unauthorized users
Instances of new software installations not documented by IT
– Elevated privileges granted to users without corresponding approval
Recognizing the Signs of Abuse

Splashtop and Atera: Emerging Threat Vectors

Splashtop1 and Atera2 have gained popularity for their efficiency and ease of use.

However, I can come with scenario’s in which individuals actively use these tools to circumvent traditional security measures.

For example, attackers might leverage Splashtop’s remote access capabilities to infiltrate networks unnoticed, exploiting weak authentication practices.

Just like Atera, which offers comprehensive IT management features, someone could exploit it to deploy malicious scripts throughout a network.

The Role of LogMeIn, TeamViewer, and Pulseway in Cyber Attacks

LogMeIn, TeamViewer, and Pulseway are well-established names in the remote access space. Their widespread adoption, however, makes them prime targets. Cybercriminals often exploit these tools for lateral movement within networks.

In one instance, I observed how attackers used TeamViewer to move undetected across a network, accessing sensitive information without raising alarms.

This incident highlighted the importance of monitoring for unusual patterns of access and implementing strict access controls.

Kaseya and GoToMyPC: Lessons Learned from High-Profile Breaches

Kaseya3 and GoToMyPC have been involved in high-profile security incidents4, offering valuable lessons on the importance of securing RMM tools.

The Kaseya VSA ransomware attack5, for example, demonstrated how vulnerabilities in RMM software could be exploited to launch widespread ransomware campaigns.

It underscored the necessity of regular software updates and the implementation of robust security measures.

Best Practices for Securing RMM Tools

To mitigate the risks associated with RMM tools, I recommend adopting a multi-layered security approach. This includes:

  • Implementing strong authentication mechanisms: Use multi-factor authentication (MFA) wherever possible to add an extra layer of security.
  • Regularly updating and patching software: Keep all RMM tools up-to-date to protect against known vulnerabilities.
  • Monitoring and logging activity: Establish comprehensive logging and monitoring to detect unusual access patterns or unauthorized installations of RMM software.
  • Educating users and staff: Raise awareness about phishing and social engineering tactics that attackers use to gain initial access.

The Power of Proactive Defense

From my own experience, the most effective defense against the misuse of RMM tools is a proactive, rather than reactive, security posture.

This involves not just deploying the right tools, but also fostering a culture of security awareness throughout the organization.

Encourage staff to report suspicious activities and provide them with the training and tools needed to recognize potential threats.

Conclusion

As cybercriminals continue to evolve their tactics, the abuse of RMM tools remains a significant threat to organizations of all sizes.

However, by recognizing the signs of abnormal usage, implementing best practices for security, and fostering a proactive security culture, we can significantly mitigate these risks.

Remember, the best way to protect against the misuse of RMM tools is through vigilance, education, and the strategic application of technology.

  1. https://www.splashtop.com/ ↩︎
  2. https://www.atera.com/ ↩︎
  3. https://www.kaseya.com/ ↩︎
  4. https://www.goto.com/nl/blog/our-response-to-a-recent-security-incident ↩︎
  5. https://helpdesk.kaseya.com/hc/en-gb/articles/4403584098961-Incident-Overview-Technical-Details ↩︎

Written by