Attackers are increasingly abusing legitimate network management tools to camouflage their attacks on corporate networks, according to a report by security vendor CrowdStrike.
The report found a 70% year-over-year increase in the use of remote monitoring and management (RMM) tools by adversaries. ConnectWise ScreenConnect surpassed AnyDesk to become the most abused RMM tool between June 2023 and June 2024, according to CrowdStrike.
RMM tools are designed to help IT departments manage systems remotely. But in the wrong hands, these powerful tools become the perfect disguise for attackers.
“While using RMM tools is not a new method of attack, attackers are increasingly gravitating towards these tools because they offer several advantages over custom-written code,” according to Ben McCarthy, lead cybersecurity engineer at Immersive Labs.
RMM tools are widely and routinely used by IT managers, network administrators and security teams, especially in the era of hybrid work models, usually to fix IT faults, install programs, and transfer files within a network, Amir Sadon, director of IR research for Sygnia, tells CSO.
Attackers abuse RMM to hide in plain sight
By using legitimate RMM tools — rather than their own utilities — attackers can hide their malicious activities in plain sight, blending in with normal network traffic.
“Threat actors across various degrees of sophistication, especially ransomware groups, have been leveraging these [RMM] tools for years, as part of the living-off-the-land methodology, in which legitimate tools are utilized for malicious activities,” Sadon says.
Attackers can abuse existing RMM platforms within a network to gain initial access — either by exploiting vulnerabilities or by (more commonly) using stolen, default, or guessed credentials.
In many cases, attack groups are installing these RMM tools after breaking into targeted networks through other means before abusing them to achieve persistence or move laterally across compromised networks. Less frequently, attackers try to trick prospective targets into installing RMM tools through spear-phishing attacks.
RMM software uses portable executable file formats, giving cybercriminals a way to establish local user access without being an administrator-level user or the need to fully install the software.
“Because these [RMM] tools are designed for legitimate purposes, they often do not raise a red flag right away,” according to Martin J. Kraemer, security awareness advocate at KnowBe4. “Any time that cybercriminals manage to operate under the radar is valuable time for them. They can spend it learning the network to identify resources and information.”
Remote management tools are freely available, easily accessible, and powerful in providing remote access and control — exactly what attackers need. RMM tools do not require licenses for non-commercial applications. Despite their potential low cost, the tools offer stability, a professional graphical user interface (GUI) and robust capabilities.
“Once they gain access to the network, using an RMM tool to maintain persistence, execute commands, transfer files, and run further discovery all become easily attainable as targets,” Kraemer says. “RMM tools are mostly already installed on the target machine. Cybercriminals do not need to deliver them as payload to the system.”
RMM is a Trojan horse of choice for attackers
RMM software appears more legitimate than custom-made malware and typically has correct and up-to-date certificates.
“It seems businesses’ own tools have become double-edged swords as RMM solutions,” Martin Greenfield, CEO of cybersecurity controls monitoring firm Quod Orbis, tells CSO. “Once the guardian angels of IT systems, they are now Trojan horses of choice for savvy attackers.”
Threat intelligence firm ReliaQuest reports that for some threat actors, “RMM tools have become favourite choices for maintaining persistent access” replacing custom backdoors and post-exploitation tools such as Cobalt Strike and Metasploit.
Between 2022 and 2024, more than one-third of the intrusions to which ReliaQuest responded involved RMM tools. All were perpetrated by cybercriminals deploying ransomware or likely preparing to deploy malware in attacks spanning multiple industry sectors and locations worldwide.
For example, ReliaQuest reports it has seen “threat actors affiliated with Qbot [a ransomware group] use RMM tools such as Atera and Splashtop, in addition to Cobalt Strike, as an alternative channel for persistent access. Other threat actors, such as the Scattered Spider ransomware group, forego using traditional tools for access such as Cobalt Strike, instead relying primarily on RMM tools, according to ReliaQuest.
The tactic is mainly but not solely in play among cybercriminals. For example, the Iranian cyber espionage group Static Kitten routinely relies on RMM tools for persistence within target networks, according to CrowdStrike.
The Top 10 remote management tools most abused by attackers in the 12 months to June 2024, according to CrowdStrike were:
- ConnectWise ScreenConnect
- AnyDesk
- TeamViewer
- Atera Agent
- Splashtop
- NetSupport Manager
- Meshagent
- Rustdesk
- Quick Assist
- Fleetdec
CrowdStrike’s report on the abuse of network management technologies follows an earlier report by the US Cybersecurity and Infrastructure Security Agency (CISA) last year on how RMM tools have been widely exploited to attack US government agencies and other targets.
Strategies for mitigating RMM exploitation
By limiting which applications can be launched and carefully controlling access, enterprises can significantly reduce the risk of attackers exploiting RMM tools to infiltrate their systems. Organizations should look towards achieving heightened visibility and vigilant monitoring of RMM tool usage, coupled with rigorous access control and privilege management protocols, security experts advised.
Other mitigation tactics include the deployment of an application control policy that limits the use of RMM tools to system admins and the like running a specific up-to-date version of an approved utility. In addition, gateway security products can block IP ranges and ports that are not supposed to be connected through RMM tools.
Regular audits of RMM tool setups and usage are also useful in catching any suspicious changes or activities.
Louis Blackburn, operations director at global ethical hacker and red team cybersecurity solutions provider CovertSwarm, commented: “In order to combat this [RMM abuse] tactic, organizations need to focus on endpoint hardening and reducing their attack surface.”
“Implementing application control measures, such as Windows Defender Application Control (WDAC) or AppLocker, will act as a primary line of defence against these attacks by preventing unauthorized applications from running, ensuring that end-users can’t unknowingly provide access to an attacker using a valid RMM tool,” Blackburn said.
Jake Moore, global cybersecurity advisor at ESET, added: “Enterprises can help discover and mitigate attacks on RMM tools by enforcing robust multifactor authentication to secure access, regularly monitoring RMM activity for any suspicious behaviour and continually ensuring that all software is kept up to date with the latest security patches.”