With the rise of telecommuting, IT departments face the challenge of managing devices across various locations through VPNs and remote monitoring and management (RMM) software for system administration.
However, just like any novel technology, RMM utilities can also pose security risks. Malevolent actors can establish connections to a target’s device, execute commands, extract data, and remain concealed.
This post will present real-life instances of RMM exploits and provide guidance on safeguarding your entity against such attacks.
What do RMM tools do?
RMM applications streamline network administration, empowering IT experts to troubleshoot remotely, deploy software, and transfer files to and from devices.
Unfortunately, this connectivity is not always secure, and malicious agents can exploit this to establish connections between their servers and a victim’s device. As these connections become more detectable, ransomware-as-a-service (RaaS) syndicates have been forced to adapt their strategies.
In a majority of the cyber incidents investigated by Varonis last year, RaaS groups employed a tactic known as Living off the Land, utilizing legitimate IT tools to acquire remote control, navigate networks discreetly, and pilfer data.
RMM tools give attackers the ability to blend in and circumvent detection. These tools and their traffic are typically “disregarded” by security measures and organizational security directives, such as application whitelisting.
Moreover, this approach aids novice hackers—upon connection, they find all the necessary tools already in place and operational.
Our investigation identified two primary techniques that attackers employ to exploit RMM platforms:
- Exploiting existing RMM utilities: Attackers secure initial access to an organization’s network using pre-existing RMM tools. They capitalize on weak or default credentials or vulnerabilities in the tools to access without triggering alarms.
- Deploying new RMM utilities: Attackers introduce their preferred RMM software after infiltrating the network. They utilize phishing campaigns or social engineering tactics to coerce targets into unintentionally installing the RMM software.
Outlined below are common RMM tools and RaaS factions:
 |
| Common RMM tools and RaaS gangs |
Instances of RMM Abuses in the Real World
In a recent inquiry, our Managed Data Detection and Response (MDDR) squad scrutinized an organization’s data and unearthed, in the PowerShell log of a compromised device, traces of an RMM tool named “KiTTY.”
This tool was a modified variant of PuTTY, a renowned application for establishing telnet and SSH sessions with remote machines. Since PuTTY is a legitimate RMM utility, none of the organization’s security solutions raised any alerts, enabling KiTTY to create reverse tunnels via port 443, exposing internal servers to an AWS EC2 instance.
The Varonis team conducted an exhaustive assessment, determining that the sessions to the AWS EC2 box using KiTTY were pivotal in uncovering the sequence of events, methodologies employed, and, most significantly, the files pilfered.
This critical evidence marked a crucial inflection point in the investigation, shedding light on the organization’s security loopholes, remedial steps, and the potential repercussions of the breach.
Measures to Safeguard RMM Software Tools
Consider employing the subsequent strategies to minimize the risk of RMM tool exploitation.
An application regulation approach
Prevent multiple RMM tools usage in your entity by enforcing an application regulation approach:
- Ensure RMM utilities are up-to-date, patched, and exclusively accessible to authorized users with Multi-Factor Authentication (MFA) enabled.
- Actively prohibit both incoming and outgoing connections on banned RMM ports and protocols at the network perimeter.
One option entails formulating a Windows Defender Application Control (WDAC) policy via PowerShell that whitelists applications based on their issuer. It is imperative to note that setting up WDAC policies necessitates administrative privileges, and deploying them through Group Policy mandates domain administrative privileges.
As a precautionary measure, it is advisable to test the policy in audit mode before transitioning it to enforce mode to prevent inadvertent impediments to essential applications.
- Launch PowerShell with administrative rights
- Initiate a new policy: A new policy can be created using the New-CIPolicy cmdlet. This cmdlet requires a directory or file path as input, scans the specified location, and crafts a policy greenlighting all files present, such as executables and DLL files, for execution across your network.
For instance, to authorize everything signed by a specific application’s issuer, mirror the example below:
New-CIPolicy -FilePath “C:PathToApplication.exe” -Level Publisher -UserPEs -Fallback Hash -Enable -OutputFilePath “C:PathToPolicy.xml”In this command, -FilePath denotes the application’s path, -Level Publisher signals that the policy will approve all files signed by the same issuer as the application, and -UserPEs indicates that user-mode executables will be covered by the policy.
-Fallback Hash ensures that if the file lacks a signature, it will be permitted based on its hash; -Enable signifies policy activation, while -OutputFilePath indicates the directory path where the policy will be stored.
- Transform the policy to a binary form: WDAC policies need to be deployed in a binary form. You can change the policy by utilizing the ConvertFrom-CIPolicy command: ConvertFrom-CIPolicy -XmlFilePath “C:PathToPolicy.xml” -BinaryFilePath “C:PathToPolicy.bin”
- Implement the policy: The policy can be implemented through the group policy management console (GPMC). To achieve this, you should move the .bin file to the WindowsSystem32CodeIntegrity directory on every computer where the policy needs to be implemented. Afterward, you should configure the Computer Configuration → Administrative Templates → System Device Guard → Deploy Windows Defender Application Control policy option to Enabled and enable the Use Windows Defender Application Control for ensuring device protection to Enforce.
Ongoing surveillance
Monitor the network traffic and logs continuously, especially concerning RMM tools. Deliberate on incorporating services such as Varonis MDDR, which delivers around-the-clock network monitoring and behavior analysis.
User training and insight
Educate your staff on recognizing phishing attacks and managing passwords efficiently, as influencing users is a common tactic for attackers to access networks. Advocate for the reporting of suspicious activities and conduct regular evaluations of your cybersecurity team to detect potential threats.
Minimize your vulnerability without compromising.
As technology progresses, it presents advantages and risks for both defenders and attackers, with RMM tools serving as just one illustration of potential threats organizations encounter.
At Varonis, we are dedicated to safeguarding what is most significant: your data. Our comprehensive Data Security Platform consistently uncovers and categorizes crucial data, eliminates vulnerabilities, and thwarts threats instantly using AI-driven automation.
Interested to ascertain prevalent risks in your environment? Obtain a Varonis Data Risk Assessment today.
Our complimentary assessment setup only requires a few minutes and offers immediate benefits. In less than a day, you will have a clear, risk-focused overview of the most crucial data and a straightforward plan for automated rectification.
Note: This write-up was initially featured on the Varonis blog.
About Author
