Published on January 26th, 2023 📆 | 3790 Views ⚑
0US Cybersecurity Agency Warns About Attacks Using RMM Tools
Security News
Kyle Alspach
The threat of MSPs and their clients being targeted in attacks involving remote management software continues to be a major issue, CISA says in the warning.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that the malicious use of remote management tools continues to pose a major threat, pointing to a âwidespreadâ cyberattack campaign from last fall that employed legitimate remote monitoring and management (RMM) software.
In May 2022, cybersecurity firms including ThreatLocker and Blackpoint Cyber reported observing that malicious actors were using remote management tools as part of cyberattacks including ransomware. That same month, international and U.S. cybersecurity authorities said they were aware of reports showing an increase in cyberattacks targeting managed service providers, and warned that stepped-up attacks on MSPs could be expected.
[Related: Free Trials Of RMMs Are Being Used By Bad Actors: Blackpoint Cyber CEO]
This week, CISA renewed the warning about the threat that MSPs are facing from cyberattacks targeting them and their customers.
âThreat actors often target legitimate users of RMM softwareâ such as MSPs and IT help desks, CISA said in the alert posted on its website. âThese threat actors can exploit trust relationships in MSP networks and gain access to a large number of the victim MSPâs customers.â
Ultimately, âMSP compromises can introduce significant riskâsuch as ransomware and cyber espionageâto the MSPâs customers,â CISA said.
CISA disclosed that it has identified a âwidespread cyber campaign involving the malicious use of legitimate RMM softwareâ that took place last October. As part of the campaign, cybercriminals sent out phishing emails with the goal of getting users to download legitimate RMM software, leading to the theft of funds from the usersâ bank accounts.
CISA identified ScreenConnect (now known as ConnectWise Control) and AnyDesk as the RMM tools used in the attacks, though âthreat actors can maliciously leverage any legitimate RMM software,â the agency noted. CRN has reached out to ConnectWise and AnyDesk for comment.
The use of RMM tools offers several advantages to attackers, including saving the attackers from having to create custom malware, as well as having the ability to bypass administrative requirements and software control policies when downloaded as a self-contained executable. RMM tools usually donât end up getting blocked by anti-malware or antivirus products, either.
With the latest report from CISA, itâs clear that using RMM tools in cyberattacks is a top priority for many threat actors, said Ryan Loughran, help desk manager at New York-based managed IT services firm KJ Technology. Given the fact that such attacks can have severe consequences for both MSPs and their customers, itâs a threat that deserves more attention, Loughran said.
Many small and medium-sized businesses, in particular, donât think about the potential for being targeted with this type of attack, he said. âIt really is a topic that isnât spoken about enough,â Loughran told CRN.
For that reason, security awareness training for all sizes of business is essential, said Paco Lebron, founder and CEO of ProdigyTeks, a Chicago-based MSP. Lebron has made it a requirement for his customers to participate in awareness training programs, in fact, which emphasizes the risks posed by phishing and social engineering attacks, and the need to avoid downloading unknown software.
âIf theyâre not going to do security awareness training, theyâll need to find someone elseâ to be their MSP, Lebron told CRN. âIt starts with education.â
The bottom line is that more MSPs need to start viewing themselves as critical infrastructure, according to Robby Hill, CEO of HillSouth, a Florence, S.C.-based MSP. âProtecting MSPs is vitalâ on a national level, Hill said.
Importantly, there are resources available to assist MSPs, such as joining a cybersecurity task force â local, state or national â which can provide access to best practices and intelligence briefings on where these types of threats are headed, he said.
In October 2021, Microsoft said that the Russia-aligned hackers who were behind the SolarWinds breach had targeted more than 140 IT resellers and service providers in the prior months, and compromised as many as 14. The hackers sought to piggyback on the direct access resellers have to their customersâ IT systems and impersonate them to gain access to their downstream customers, a Microsoft executive said at the time.
Kyle Alspach
Gloss