RMM: The Increased Use of Legal Malware by Threat Actors

Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. David Rushmer of Blackpoint Cyber offers a deep dive into the ways RMM software is being exploited by threat actors, and what can be done.

Today’s threat landscape is constantly evolving as malicious threat actors continue to find ways to circumvent trusted security measures. Most recently, cyber-criminals are leveraging enterprise software, like remote monitoring and management (RMM) tools, to gain access to networks and wreak havoc on companies, their employees, and their clients. The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint cybersecurity advisory in January 2023, warning organizations about the use of these tools in cyber campaigns.

While the exploitation of legitimate software is not new, threat actors are increasingly deploying this tactic. According to Blackpoint Cyber’s Security Operations Center (SOC) team, 15 percent of all its responses in 2022 involved an RMM.

RMM: Legal Malware Exploited

Who is Being Targeted?

Managed Service Providers (MSPs) and Information Technology (IT) help desks use enterprise software to manage their business processes and operations. Oftentimes, it is highly trusted and therefore has privileged capabilities, such as technical and security user support, network management, remote control, network mapping, endpoint monitoring, and patch management. For example, Total Software Deployment is a software management tool that enables remote deployment – meaning end users will not be interrupted while the tool is being used. Additionally, the software allows for full remote control of endpoints.

Unfortunately, the features that make these tools appealing for organizations to use also make them appealing for threat actors to use maliciously to gain admin access. The end goal for most criminal groups is to generate maximum profits with little spending – which is another reason why leveraging enterprise software is so enticing. Using existing software is much more cost effective than developing net new software.

CISA, NSA, and MS-ISAC warn that although these types of campaigns are typically financially motivated, the attackers could abuse RMM tools for an array of different cybercrimes and even as a backdoor to victim networks. From there, cybercriminals could sell the obtained access to other cybercriminals or to advanced persistent threat actors, demand a ransom, or surveil the end customer’s business activities.

By exploiting trusted relationships in MSP networks, these threat actors gain access to a large number of companies’ networks and data. MSPs remain primary targets due to the ability to hit multiple systems at once, making them lucrative victims.

What to Watch Out For

In the campaigns identified, cybercriminal actors sent phishing emails to obtain valid credentials and upon gaining access, used those stolen credentials to begin the next stage of their malicious campaign. Because the use of RMM software generally does not trigger antivirus (AV) or anti-malware defenses, it can be particularly difficult to catch. With that said, if you know what to monitor for, there are plenty of indicators of an attack within your system. Monitoring for indicators of compromise (IoCs) enables organizations to accurately detect and respond to security compromises. Some IoCs include unexpected patching of systems, online profile inaccuracies, log-in red flags, and even signs of distributed denial-of-service (DDoS) activity.

Cybersecurity measures are ever changing and constantly aiming to stay ahead of the agendas of malicious actors. However, these cybercriminals are continuing to get smarter. We trust multifactor authentication (MFA), they exploit MFA. We trust RMM, they exploit RMM. They will follow the trends, figure out how to bypass security measures, and remain relentless until they have their next victim.

How to Get Ahead

In order to stay ahead of this rising threat, organizations must be extremely cautious of the trust they put into their IT tools. These tools will continue to be necessary to run a business but can also be a foothold for a persistent threat actor. Regarding RMMs specifically, organizations should stay updated and patched, continue to be on the lookout for exposure to Remote Desktop Protocol (RDP), and monitor for any changes to RMM IP access. Additionally, it’s recommended that businesses swap MFA push notifications for more advanced forms of verification such as multi-digit vault codes or biometric authentication. When you rely solely on push notifications, hackers can use alert fatigue to eventually gain access into your account. Although many forms of MFA are convenient, they do not always equate to the best security.

It is essential that we all take the necessary steps to protect ourselves online, such as using strong passwords, turning on MFA, and updating our software regularly. For government and private entities alike, developing tailored cybersecurity plans and improving cybersecurity education is key to protecting their organizations’ operations from wide-scale or high-consequence events that could cause harm or disrupt services upon which our economy depends.

By bringing cybersecurity to the C-Suite, companies will be able to instill proper practices to safeguard themselves before an attack ever happens. Only in the last few years have businesses begun taking cybersecurity seriously. Unfortunately, more often than not, companies only begin putting additional efforts into their online security once their network has been breached. However, this is entirely preventable and the steps to secure yourself are more accessible than ever. As information technology becomes increasingly integrated with all aspects of society, it is vital that everyone takes responsibility for their own cybersecurity to ensure a safe online environment for us all.