As more people work remotely, IT departments must rely on VPNs and remote monitoring and management (RMM) tools for system management to manage devices spread across different cities and countries.
However, like any new technology, RMM tools can also be used maliciously: threat actors can connect to victim devices to execute commands, exfiltrate data, and remain undetected.
In this article, we’ll look at some real-world examples of RMM exploits and explain how to protect your organization from these attacks.
What are RMM tools?
RMM software simplifies network management, allowing IT professionals to remotely troubleshoot issues, install software, and upload or download files to and from devices.
Unfortunately, this connection is not always secure, allowing attackers to use malicious software to connect their servers to victim devices. However, as these connections have become easier to detect, Ransomware-as-a-Service (RaaS) groups have had to adjust their methods.
In most of the cyber incidents Varonis investigated last year, RaaS gangs employed a technique known as Living off the Land, using legitimate IT tools to gain remote control, navigate networks undetected, and steal data.
RMM tools allow attackers to blend in and avoid detection: attackers and their traffic are typically “ignored” by security controls such as application whitelisting and organizational security policies.
This tactic is also useful for script kiddies: when you connect, you’ll find that everything you need is installed and ready to go.
Our research identified two main methods attackers use to manipulate RMM tools:
- Abusing existing RMM tools: Attackers use existing RMM tools to gain initial access to an organization’s network. Attackers exploit weak or default credentials and vulnerabilities in the tools to gain access without triggering detection.
- Installing the new RMM tool: Attackers first gain access to a network and install their RMM tool of choice, using phishing emails and social engineering techniques to trick victims into unknowingly installing the RMM tool on their network.
Below are some popular RMM tools and RaaS groups:
 |
| Popular RMM Tools and RaaS Groups |
A real-world example of the RMM exploit
During a recent investigation, our Managed Data Discovery and Response (MDDR) team analyzed an organization’s data and found evidence of an RMM tool called “KiTTY” in the PowerShell history of a compromised device.
The software was a modified version of PuTTY, a well-known tool for creating Telnet and SSH sessions with remote machines. Since PuTTY is a legitimate RMM tool, none of the organization’s security software raised any warnings. Therefore, KiTTY was able to create a reverse tunnel over port 443, exposing an internal server to the AWS EC2 box.
The Varonis team conducted a comprehensive analysis and found that the KiTTY sessions to the AWS EC2 boxes were key to revealing what happened, how it was done, and most importantly, what files were stolen.
This key piece of evidence was a turning point in the investigation, helping trace the entire attack chain and highlighting the organization’s security flaws, how they were addressed, and the potential consequences of this attack.
Strategies for defending your RMM tool
To reduce the likelihood that an attacker will be able to exploit your RMM tool, consider implementing the following strategies:
Application Control Policies
Apply application control policies to restrict your organization from using multiple RMM tools.
- Ensure your RMM tools are updated, patched, and accessible only to authorized users with MFA enabled.
- Proactively block both inbound and outbound connections for prohibited RMM ports and protocols at your network perimeter.
One option is to use PowerShell to create a Windows Defender Application Control (WDAC) policy that whitelists applications based on their publisher. Note that you need administrator privileges to create a WDAC policy, and domain administrator privileges to deploy it via Group Policy.
As a precaution, you should test your policies in audit mode before you deploy them in enforced mode to ensure that you do not inadvertently block required applications.
- Open PowerShell with admin privileges
- Create a new policy. To create a new policy, New CIPolicy Cmdlet, which takes a directory or file path, scans it, and creates a policy that allows all files in that path, including executables and DLL files, to run on the network.
For example, if you want to allow anything signed by a specific application publisher, follow this example:
New-CIPolicy -FilePath “C:\Path\To\Application.exe” -Level Publisher -UserPEs -Fallback Hash -Enable -OutputFilePath “C:\Path\To\Policy.xml”In this command: -File Path Specifies the path to the application. -Level Publisher The policy allows anything signed by the same publisher as the application, -User PE This means that the policy includes user mode executables.
-Fallback hash This means that if the file is not signed, the policy will allow it based on its hash.-To enable The policy is enabled and -Output file path Specify the path where you want to save the policy.
- Convert the policy into binary format. WDAC policies must be deployed in binary format. ConvertFrom-CIPolicy Commandlet: ConvertFrom-CIPolicy -XmlFilePath “C:\Path\To\Policy.xml” -BinaryFilePath “C:\Path\To\Policy.bin”
- Deploy the policy. You can deploy the policy using the Group Policy Management Console (GPMC). To do this, you must copy the .bin file to the \\Windows\System32\CodeIntegrity directory on each computer where you want to deploy the policy. Then, Computer Configuration → Administrative Templates → System Device Guard → Deploy Windows Defender Application Control Enable the policy setting and Use Windows Defender Application Control To further protect your device, select the (Enforce) option.
Continuous monitoring
Monitor your network traffic and logs, especially for RMM tools. Consider implementing a service such as Varonis MDDR, which provides 24/7 network monitoring and behavioral analysis.
User Training and Awareness
Manipulating users is a common way for attackers to gain access to your network, so train your employees to identify phishing attacks and manage passwords effectively. Encourage reporting of suspicious activity and regularly test your cybersecurity team to identify potential risks.
Reduce risk by doing nothing.
As technology advances, it creates advantages for both defenders and attackers, and RMM tools are just one example of the potential threats organizations face.
At Varonis, our mission is to protect what matters most: your data. Our all-in-one data security platform uses AI-powered automation to continuously discover and classify critical data, eliminate risk, and stop threats in real time.
Want to know what risks are prevalent in your environment? Take the Varonis Data Risk Assessment now.
Our free assessment takes just minutes to set up and provides immediate value: within 24 hours, you’ll have a clear, risk-based view of your most important data and a clear path to automated remediation.
Note: This article originally appeared on the Varonis blog.
