As more people work remotely, IT departments must manage devices distributed over different cities and countries relying on VPNs and remote monitoring and management (RMM) tools for system administration.
However, like any new technology, RMM tools can also be used maliciously. Threat actors can establish connections to a victim’s device and run commands, exfiltrate data, and stay undetected.
This article will cover real-world examples of RMM exploits and show you how to protect your organization from these attacks.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
What are RMM tools?
RMM software simplifies network management, allowing IT professionals to remotely solve problems, install software, and upload or download files to or from devices.
Unfortunately, this connection is not always secure, and attackers can use malicious software to connect their servers to a victim’s device. As these connections become easier to detect, however, ransomware-as-a-service (RaaS) groups have had to adjust their methods.
In most of the cyber incidents Varonis investigated last year, RaaS gangs employed a technique known as Living off the Land, using legitimate IT tools to gain remote control, navigate networks undetected, and steal data.
RMM tools enable attackers to blend in and evade detection. They and their traffic are typically “ignored” by security controls and organizational security policies, such as application whitelisting.
This tactic also helps script kiddies — once connected, they will find everything they need already installed and ready for them.
Our research identified two main methods attackers use to manipulate RMM tools:
Below are common RMM tools and RaaS gangs:
Common RMM tools and RaaS gangs
Real-world examples of RMM exploits
During a recent investigation, our Managed Data Detection and Response (MDDR) team analyzed an organization’s data and found, in the PowerShell history of a compromised device, evidence of an RMM tool named “KiTTY.”
This software was a modified version of PuTTY, a well-known tool for creating telnet and SSH sessions with remote machines. Because PuTTY is a legitimate RMM tool, none of the organization’s security software raised any red flags, so KiTTY was able to create reverse tunnels over port 443 to expose internal servers to an AWS EC2 box.
The Varonis team conducted a comprehensive analysis. They found that the sessions to the AWS EC2 box using KiTTY were key to revealing what happened, how it was done, and — most importantly — what files were stolen.
This crucial evidence was a turning point in the investigation and helped trace the entire attack chain. It also revealed the organization’s security gaps, how to address them, and the potential consequences of this attack.
Strategies to defend RMM tools
Consider implementing the following strategies to reduce the chance of attackers abusing RMM tools.
An application control policy
Restrict your organization from using multiple RMM tools by enforcing an application control policy:
- Ensure RMM tools are updated, patched, and accessible only to authorized users with MFA enabled
- Proactively block both inbound and outbound connections on forbidden RMM ports and protocols at the network perimeter
One option is to create a Windows Defender Application Control (WDAC) policy using PowerShell that whitelists applications based on their publisher. It’s important to note that creating WDAC policies requires administrative privileges, and deploying them via Group Policy requires domain administrative privileges.
As a precaution, you should test the policy in audit mode before deploying it in enforce mode to avoid inadvertently blocking necessary applications.
Continuous monitoring
Monitor your network traffic and logs, especially regarding RMM tools. Consider implementing services like Varonis MDDR, which provides 24x7x365 network monitoring and behavioral analysis.
User training and awareness
Train your employees to identify phishing attempts and manage passwords effectively, as manipulating users is a common way attackers gain access to your network. Encourage the reporting of suspicious activity and regularly test your cybersecurity team to identify potential risks.
Reduce your risk without taking any.
As technology advances, it gives an edge to both defenders and attackers, and RMM tools are just one example of the potential threats orgs face.
At Varonis, our mission is to protect what matters most: your data. Our all-in-one Data Security Platform continuously discovers and classifies critical data, removes exposures, and stops threats in real time with AI-powered automation.
Curious to see what risks might be prevalent in your environment? Get a Varonis Data Risk Assessment today.
Our free assessment takes just minutes to set up and delivers immediate value. In less than 24 hours, you’ll have a clear, risk-based view of the data that matters most and a clear path to automated remediation.
Note: This article originally appeared on the Varonis blog.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com