Hackers abuse legitimate remote monitoring and management tools in attacks

Security researchers warn that an increasing number of attackers are using legitimate remote monitoring and management (RMM) tools in their attacks to achieve remote access and control over systems. These tools are commonly used by managed service providers (MSPs) and IT help desks so their presence on an organization’s network and systems might not raise suspicion.

Researchers from Cisco Talos reported this week that one particular commercial RMM tool called Syncro was observed in a third of the incident response cases the company was engaged in during the fourth quarter of 2022. However, this wasn’t the only such tool used.

Separately in a joint advisory this week, the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) the and Multi-State Information Sharing and Analysis Center (MS-ISAC) warned about the use of RMM tools in a refund scam that targeted the employees of multiple federal agencies.

“This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious cyber actors—from cybercriminals to nation-state sponsored APTs—are known to use legitimate RMM software as a backdoor for persistence and/or command and control (C2),” the agencies wrote in their advisory.

Delivery as self-contained portable executables

In the attacks that CISA and its partners discovered, a group of attackers sent help-desk-themed phishing emails to employees on both their government-issued and personal email addresses. Those emails typically informed them of a pricey subscription renewal charged to their account and asked recipients to contact the customer support department if they wanted to cancel and refund it.

The email link led to a website that prompted an executable download. If run, this file connected to a second domain controlled by the attackers and downloaded RMM tools such as ScreenConnect (now ConnectWise Control) and AnyDesk in self-contained portable executable format. These portable executables don’t require installation or administrative privileges and are preconfigured to connect to a RMM server operated by the attackers, which gives them remote desktop access to the machine.

In this campaign, malicious operators instructed the victims through the RMM software to open their bank account in the browser and then used their access to modify the bank statement to show a larger-than-normal refund was issued to the victim’s account. The victims are then asked to send back the excess amount to the operator. This is known as a refund scam and has been quite common for many years now.

“Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional types of malicious activity,” CISA and its partners wrote in the advisory. “For example, the actors could sell victim account access to other cybercriminal or advanced persistent threat (APT) actors.”

“ConnectWise takes the security of our products and our partners very seriously,” said Patrick Beggs, ConnnectWise CISO in a statement responding to CISA’s warning. “Unfortunately, software products intended for good use, including remote control tools, can be frequently used by bad actors for malicious purposes. As a company, we strive to be proactive and work diligently to prevent this from happening through training and education as well as the use of comprehensive security tools to detect harmful behavior.”

From scammers to ransomware gangs and beyond

Meanwhile, the malicious RMM usage that Talos observed has been primarily associated with ransomware attacks, showing other types of cybercriminals are jumping on this trend. In fact, ransomware attackers remained the top cause for incident response engagements for Talos during the previous quarter.

In one case, attackers using the Royal ransomware, which is a suspected spin-off of the now defunct Conti, deployed the AnyDesk RMM as a service on the victim machine to achieve persistence. The same affiliate also deployed red teaming frameworks such as Cobalt Strike and Mimikatz, continuing the trend of abusing dual-use tools.

In an increasing number of incidents that end with the deployment of Royal ransomware, attackers first use a malware dropper called BatLoader, which then deploys Cobalt Strike and other tools and finally the ransomware payload. BatLoader is a relatively new malware implant and researchers found it shared IOCs with previous Conti activity, including the deployment of a RMM agent from Atera.

An even more frequently abused RMM tool was Syncro, which was also deployed by BatLoader but also other attackers, including those using Qakbot, a long-running information stealer. The Qakbot distributors were also seen abusing another RMM called SplashTop together with various dual-use tools for Active Directory mapping such as ADFind and SharpHound.

“This quarter, nearly 40% of engagements featured phishing emails used as a means to establish initial access, followed by user execution of a malicious document or link,” the Talos researchers said in their report. “In many engagements, valid accounts and/or accounts with weak passwords also helped facilitate initial access whereby the adversary leveraged compromised credentials. It is important to note that for the majority of incidents, Talos IR could not reasonably determine the initial vector because of logging deficiencies or a lack of visibility into the affected environment.”

Aside from RMM tools, the built-in Microsoft Remote Desktop Protocol (RDP) continues to be exploited by attackers for initial access due to poor password hygiene and weak security controls.

The lack of multi-factor authentication (MFA) across enterprise networks remains one of the biggest weaknesses. In almost 30% of incidents investigated by Talos, MFA was either completely missing or was enabled only for a few critical services and accounts.

“Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection response (EDR) solutions or VPNs,” the researchers said. “To help minimize initial access vectors, Talos IR recommends disabling VPN access for all accounts that are not using two-factor authentication.”

PsExec, a light-weight telnet replacement that allows attackers to execute applications on other systems, remains a popular tool for lateral movement. Talos recommends that organizations disable PsExec on their systems and environments and use Microsoft AppLocker to block access to other dual-use tools commonly abused by attackers.