As more people work remotely, IT departments must manage devices distributed over different cities and countries relying on VPNs and remote monitoring and management (RMM) tools for system administration.
However, like any new technology, RMM tools can also be used maliciously. Threat actors can establish connections to a victim’s device and run commands, exfiltrate data, and stay undetected.
This article will cover real-world examples of RMM exploits and show you how to protect your organization from these attacks.
What are RMM tools?
RMM software simplifies network management, allowing IT professionals to remotely solve problems, install software, and upload or download files to or from devices.
Unfortunately, this connection is not always secure, and attackers can use malicious software to connect their servers to a victim’s device. As these connections become easier to detect, however, ransomware-as-a-service (RaaS) groups have had to adjust their methods.
In most of the cyber incidents Varonis investigated last year, RaaS gangs employed a technique known as Living off the Land, using legitimate IT tools to gain remote control, navigate networks undetected, and steal data.
RMM tools enable attackers to blend in and evade detection. They and their traffic are typically “ignored” by security controls and organizational security policies, such as application whitelisting.
This tactic also helps script kiddies — once connected, they will find everything they need already installed and ready for them.
Our research identified two main methods attackers use to manipulate RMM tools:
- Abusing existing RMM tools: Attackers gain initial access to an organization’s network using preexisting RMM tools. They exploit weak or default credentials or tool vulnerabilities to gain access without triggering detection.
- Installing new RMM tools: Attackers install their preferred RMM tools by first gaining access to the network. They use phishing emails or social engineering techniques to trick victims into unwittingly installing the RMM tool on their network.
Below are common RMM tools and RaaS gangs:
Common RMM tools and RaaS gangs |
Real-world examples of RMM exploits
During a recent investigation, our Managed Data Detection and Response (MDDR) team analyzed an organization’s data and found, in the PowerShell history of a compromised device, evidence of an RMM tool named “KiTTY.”
This software was a modified version of PuTTY, a well-known tool for creating telnet and SSH sessions with remote machines. Because PuTTY is a legitimate RMM tool, none of the organization’s security software raised any red flags, so KiTTY was able to create reverse tunnels over port 443 to expose internal servers to an AWS EC2 box.
The Varonis team conducted a comprehensive analysis. They found that the sessions to the AWS EC2 box using KiTTY were key to revealing what happened, how it was done, and — most importantly — what files were stolen.
This crucial evidence was a turning point in the investigation and helped trace the entire attack chain. It also revealed the organization’s security gaps, how to address them, and the potential consequences of this attack.
Strategies to defend RMM tools
Consider implementing the following strategies to reduce the chance of attackers abusing RMM tools.
An application control policy
Restrict your organization from using multiple RMM tools by enforcing an application control policy:
- Ensure RMM tools are updated, patched, and accessible only to authorized users with MFA enabled
- Proactively block both inbound and outbound connections on forbidden RMM ports and protocols at the network perimeter
One option is to create a Windows Defender Application Control (WDAC) policy using PowerShell that whitelists applications based on their publisher. It’s important to note that creating WDAC policies requires administrative privileges, and deploying them via Group Policy requires domain administrative privileges.
As a precaution, you should test the policy in audit mode before deploying it in enforce mode to avoid inadvertently blocking necessary applications.
- Open PowerShell with administrative privileges
- Create a new policy: You can create a new policy using the New-CIPolicy cmdlet. This cmdlet takes a path to a directory or a file, scans it, and makes a policy that allows all files in that path, such as executables and DLL files, to run on your network.
For example, if you want to allow everything signed by the publisher of a specific application, you can follow the example below:
New-CIPolicy -FilePath “C:PathToApplication.exe” -Level Publisher -UserPEs -Fallback Hash -Enable -OutputFilePath “C:PathToPolicy.xml”In this command, -FilePath specifies the path to the application, -Level Publisher means that the policy will allow everything signed by the same publisher as the application, and -UserPEs means that the policy will include user-mode executables.
-Fallback Hash means that if the file is not signed, the policy will allow it based on its hash,-Enable means that the policy will be enabled, and -OutputFilePath specifies the path where the policy will be saved.
- Convert the policy to a binary format: WDAC policies must be deployed in a binary format. You can convert the policy using the ConvertFrom-CIPolicy cmdlet: ConvertFrom-CIPolicy -XmlFilePath “C:PathToPolicy.xml” -BinaryFilePath “C:PathToPolicy.bin”
- Deploy the policy: You can deploy the policy using the group policy management console (GPMC). To do this, you must copy the .bin file to the \WindowsSystem32CodeIntegrity directory on each computer where you want to deploy the policy. Then, you need to set the Computer Configuration → Administrative Templates → System Device Guard → Deploy Windows Defender Application Control policy setting to Enabled and set the Use Windows Defender Application Control to help protect your device option to Enforce.
Continuous monitoring
Monitor your network traffic and logs, especially regarding RMM tools. Consider implementing services like Varonis MDDR, which provides 24x7x365 network monitoring and behavioral analysis.
User training and awareness
Train your employees to identify phishing attempts and manage passwords effectively, as manipulating users is a common way attackers gain access to your network. Encourage the reporting of suspicious activity and regularly test your cybersecurity team to identify potential risks.
Reduce your risk without taking any.
As technology advances, it gives an edge to both defenders and attackers, and RMM tools are just one example of the potential threats orgs face.
At Varonis, our mission is to protect what matters most: your data. Our all-in-one Data Security Platform continuously discovers and classifies critical data, removes exposures, and stops threats in real time with AI-powered automation.
Curious to see what risks might be prevalent in your environment? Get a Varonis Data Risk Assessment today.
Our free assessment takes just minutes to set up and delivers immediate value. In less than 24 hours, you’ll have a clear, risk-based view of the data that matters most and a clear path to automated remediation.
Note: This article originally appeared on the Varonis blog and written by Tom Barnea, a Security Specialist at Varonis.