RMM Tool Exploitation: Hackers exploit RMM tools as a backdoor to bypass security systems and gain persistent access to targeted networks, as highlighted by recent incidents involving ransomware groups and nation-states.
The U.S. cybersecurity defense agency, in collaboration with private enterprises, has revealed its initial strategy for addressing security concerns linked to remote monitoring and management (RMM) tools. This unveiling occurred on Wednesday.
IT departments in numerous major global organizations typically use RMM software to remotely access computers, aiding in tasks like software installations and assisting employees with various services.
In recent times, hackers have increasingly exploited these tools, especially within government networks, as an uncomplicated method to evade security systems and gain consistent entry into targeted networks. For example, in January, the U.S. Cybersecurity and Infrastructure Agency (CISA) and the National Security Agency disclosed that cybercriminals had exploited at least two federal civilian agencies through an RMM software-based refund scam campaign.
CISA announced on Wednesday that it collaborated with industry partners within the Joint Cyber Defense Collaborative (JCDC) to create a “clear roadmap for enhancing the security and resilience of the RMM ecosystem.”
Eric Goldstein, CISA’s Executive Assistant Director for Cybersecurity, explained that the organization collaborated with various U.S. agencies and RMM companies to formulate a strategy centered on four primary objectives: sharing vulnerability information, coordinating with the industry, educating end-users, and amplifying advisories.
Goldstein stated, “The collaborative effort to craft this plan has already achieved several milestones for RMM stakeholders and the ecosystem. As the JCDC leads the implementation of this plan, we have confidence that this public-private partnership within the RMM ecosystem will further mitigate risk to our nation’s critical infrastructure.”
RMM software empowers hackers to establish local user access without needing higher administrative privileges, effectively bypassing standard software controls and risk management assumptions, as emphasized by CISA and the NSA in their January communication.
These agencies cautioned that threat actors might sell access to compromised victims to government-backed hacking groups. They noted that both cybercriminals and nation-states exploit RMM software as a backdoor to maintain their presence in a system.
Further cybersecurity incidents involving RMM software include the Gandcrab ransomware group leveraging a vulnerability in a Kaseya plugin in February 2019 to deploy ransomware via ConnectWise Manage software on customer networks of managed service providers.
In November 2022, Microsoft reported that the Royal ransomware group employed phishing emails with fake installers for AnyDesk. Additionally, leaked files from the Conti ransomware group showed their use of AnyDesk to persistently access victim networks. According to CISA, both ransomware groups and nation states use RMM tools to compromise numerous downstream customer organizations.
CISA’s newly introduced plan, named the “Cyber Defense Plan for Remote Monitoring and Management,” aims to increase the exchange of cyber threat and vulnerability information between the U.S. government and RMM industry stakeholders. Additionally, it introduces mechanisms to foster the “maturation of scaled security efforts.”
Government agencies and RMM firms will create educational guides and recommendations for end-users to heighten awareness of best practices for safeguarding employees who utilize these products.
CISA also advocates for intensified efforts to amplify advisories and alerts within the RMM community, thereby strengthening the protection of tools exploited by hackers.
Goldstein highlighted that the plan advances the industry collaboration aspect of the National Cyber Strategy. CISA spent months collaborating with the cybersecurity sector on this initiative, engaging with vendors, operators, agencies, and other pertinent parties.
“Aligned with the vision of Congress and the Cyberspace Solarium Commission, JCDC Cyber Defense Plans aim to unite diverse stakeholders across the cybersecurity landscape to comprehend systemic risks and develop shared, actionable solutions,” Goldstein confirmed.
The RMM Cyber Defense Plan underscores the significance of this endeavor and the importance of both strong partnership and proactive planning in addressing systemic risks facing our nation. These planning endeavors rely on trusted collaboration with our partners, and this Plan truly embodies a partnership with the RMM community, industry, and interagency partners who contributed their time and effort to this vital undertaking.
