It has come to light that hackers cleverly utilized two off-the-shelf remote monitoring and management systems (RMMs) to breach multiple Federal Civilian Executive Branch (FCEB) agency networks in the US last summer.
On Jan. 25, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint advisory detailing the attacks, warning the cybersecurity community about the malicious use of commercial RMM software, and offering mitigations and indicators of compromise to watch out for.
IT service providers use RMMs to remotely monitor and manage clients' networks and endpoints. But hackers can use the same software to bypass typical software control policies and authorization requirements on victim computers — as the US government found out.
How Hackers Breached the Government With RMMs
Last October, CISA conducted a retrospective analysis of Einstein — its intrusion detection system, deployed across FCEB agencies. The researchers found, perhaps, more than they'd bargained for.
In mid-June last year, hackers sent a phishing email to an FCEB employee's government address. The email prompted the employee to call a phone number. Calling the number prompted them to visit a malicious Web address: "myhelpcare.online."
Visiting the domain triggered the download of an executable, which then connected to a second domain, which is where two RMMs — AnyDesk and ScreenConnect (now ConnectWise Control) — came into play. The second domain didn't actually install AnyDesk and ScreenConnect clients onto the target's machine. Instead, it went backward: downloading the programs as self-contained, portable executables, configured to connect back to the threat actor's server.
Why does this matter? "Because," the authoring organizations explained, "portable executables do not require administrator privileges, they can allow execution of unapproved software even if a risk management control may be in place to audit or block the same software's installation on the network."
Having made a mockery of admin privileges and software controls, the threat actors could then use the executable "to attack other vulnerable machines within the local intranet or establish long term persistent access as a local user service."
It turns out, though, that the June compromise was merely the tip of an iceberg. Three months later, traffic was observed between a different FCEB network and a similar domain — "myhelpcare.cc" — and further analysis, the authors recalled, "identified related activity on many other FCEB networks."
Despite targeting government employees, the attackers appear to have been financially motivated. After connecting to target machines, they enticed victims to log in to their bank accounts, then "used their access through the RMM software to modify the recipient’s bank account summary," the authors wrote. "The falsely modified bank account summary showed the recipient was mistakenly refunded an excess amount of money. The actors then instructed the recipient to 'refund' this excess amount to the scam operator."
Why Hackers Like RMMs
Hackers have a long history of utilizing legitimate software for illegitimate ends. Most popular are red-team tools — like Cobalt Strike and Metasploit — which cyber defenders use to test their own systems but can be seamlessly applied in the same way in an adversarial context.
Even software with no obvious relationship with cybersecurity can be repurposed for evil. As just one example, North Korean hacking clusters have been observed hijacking email marketing services to send phishing lures past spam filters.
In this case, RMMs have become ubiquitous in recent years, allowing attackers who use them an easy way to hide in plain sight. More than anything, though, it's the degree of autonomy that RMMs require in order to perform their normal functions that hackers turn to their advantage.
"Many RMM systems use tools that are built into the operating system," Erich Kron, security awareness advocate at KnowBe4, explains to Dark Reading. "These, as well as purpose-built RMM tools, typically have very high levels of system access, making them very valuable to attackers."
"To add to the issue," Kron notes, "RMM tools are often excluded from security monitoring as they can trigger false positives and appear malicious and unusual when doing their legitimate work."
Added together, "it makes the activities much harder to spot as they blend in with normal computing operations," he adds. Organizations that manage to spot the difference will find further headaches in preventing malicious use of RMMs, while maintaining legitimate use of RMMs over the same systems.
It's no wonder, then, that more hackers are adopting these programs into their attack flows. In a Jan. 26 report covering their incident response findings from the fourth quarter of 2022, Cisco Talos made special note of Syncro, an RMM they encountered in nearly 30% of all engagements.
It was "a significant increase compared to previous quarters," Talos researchers explained. "Syncro was among many other remote access and management tools, including AnyDesk and SplashTop, that adversaries leveraged to establish and maintain remote access to compromised hosts."
To conclude their notice, the NSA, CISA, and MS-ISAC suggested steps that network defenders can take to combat RMM-enabled attacks, including:
- Good hygiene and awareness around phishing,
- Identifying remote access software on your network and whether it's only being loaded into memory,
- Implementing controls against, and auditing for, unauthorized RMMs running as a portable executable,
- Requiring that RMMs only ever be used over approved virtual private networks and virtual desktop interfaces, and
- Blocking connections on common RMM ports and protocols at the network perimeter.