The US Cybersecurity and Infrastructure Security Agency (CISA) is sounding the alarm about a significant threat that’s been brewing for a while now – the malicious use of remote management tools.
Last fall, a massive cyberattack campaign used legitimate remote management software, which was quite challenging! Cybersecurity firms like ThreatLocker and Blackpoint Cyber noticed malicious actors using remote management tools as part of their cyberattacks, including ransomware.
International and US cybersecurity authorities even warned about increased cyberattacks targeting managed service providers (MSPs). CISA is now renewing its warning about the threat that MSPs and their customers are facing.
Threat actors target legitimate users of RMMs, including MSPs and IT support
They can exploit the trust in MSP networks and gain access to many of the victim MSP’s customers. This means that MSPs can introduce serious risks to their customers, such as ransomware and cyber espionage.
Last October, CISA identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Cybercriminals sent phishing emails to get users to download the RMM software, leading to the theft of funds from their bank accounts.
The RMM tools used in the attacks were ScreenConnect (now ConnectWise Control) and AnyDesk, but CISA warned that “threat actors can maliciously leverage any legitimate RMM software.”
Why are RMM tools so appealing to attackers?
They offer several advantages, like saving attackers from creating custom malware and bypassing administrative requirements and software control policies when downloaded as a self-contained executable. And they usually don’t get blocked by anti-malware or antivirus products.
Ryan Loughran, the help desk manager at KJ Technology, a managed IT services firm, said that it’s clear that using RMM tools in cyberattacks is a top priority for many threat actors. He also mentioned that many small and medium-sized businesses aren’t aware of the potential for being targeted by this type of attack.
There are resources available to assist MSPs, like joining a cybersecurity task force, which can provide access to best practices and intelligence briefings on the latest threats.
Tip: Datto acquires Infocyte, strengthens endpoint security of Datto RMM