IT teams are drowning in endpoints: 45% of organizations manage between 100 to 1,000 endpoints, while 32% manage between 1,001 to 5,000, according to a recent benchmark survey. However, the lifeboats these teams have been clinging to, Remote Monitoring and Management (RMM) tools, which enable them to manage hundreds of endpoints seamlessly, troubleshoot issues remotely, and ensure smooth operations, have sprung a severe leak.  

RMM tools have become a prime target for threat actors. There’s been a 70% year-over-year increase in RMM tool-based endpoint attacks. Now, even with this dramatic surge, the solution isn’t to abandon ship or ditch RMM tools; it’s to recognize that what makes them valuable to businesses also makes them attractive to malicious actors and follow a set of proven strategies that ‘plug the holes’ and reinforce the hull so attackers can’t exploit weak points.  

What are RMM Tools?

RMM tools are software solutions designed to help IT departments remotely monitor and manage endpoints, networks, and systems. Although features and functionalities vary by vendor, the most popular RMM tools from companies, such as ConnectWise, AnyDesk, and TeamViewer, tend to offer a centralized command center for: 

• Asset discovery and management 

• Software deployment and patch management 

• Environment monitoring and performance tracking 

• Network diagnostics and troubleshooting 

With IT teams notoriously stretched thin, these tools offer significant business advantages, including enhancing productivity and efficiency, improving system uptime and reliability, and providing comprehensive analytics and reports. Despite the benefits, RMM tools can easily become the gateway for attackers to penetrate environments. 

Why Do Threat Actors Target RMM Tools?

Like a moth to a flame, several factors make RMM tools a natural magnet for malicious actors. These include: 

Licensing Flexibility: Most RMM tools don’t require licenses for “non-commercial” applications, making them easily accessible to unauthorized users. 

Professional Features: RMMs offer stability, graphical user interfaces (GUI), and robust capabilities, making them appealing for legitimate and illegitimate purposes. 

Evasion Capabilities: These tools blend seamlessly into normal network operations, providing excellent cover for attackers. 

Ease of Access: RMM tools grant access to multiple endpoints simultaneously, allowing attackers to control numerous devices, compromise entire networks, spread malware, and steal data with a single-entry point. 

How RMM Tool Attacks Work

Motivated criminals will always find a way to carry out attacks. Some methods used to manipulate RMM tools are used frequently, while others specifically leverage the features of RMMs.  

Credential Theft: Hackers use phishing campaigns or other social engineering tactics to trick employees and steal login credentials for RMM tools. 

Brute Force: Attackers use automated tools to guess passwords and gain unauthorized access to RMM accounts. 

Installation of Malware: Cybercriminals use RMM tools to distribute malicious payloads across networks. 

Vulnerability Exploitation: Malicious actors take advantage of known weaknesses in RMM software to gain unauthorized access. 

Misuse of Legitimate Functions: Attackers leverage built-in features of RMM tools, such as those related to credential management or password reset, remote command-line interfaces, file transfer capabilities, network scanning capabilities, remote desktop access, and others.  

Real-world RMM Attacks

In 2021, Kaseya VSA suffered a massive ransomware attack that affected hundreds or possibly thousands of businesses worldwide. The attack, launched by REvil, utilized a known authentication bypass vulnerability (CVE 2021-30116). Not only was the company’s customer database compromised, but REvil delivered ransomware to Kaseya’s customers through what appeared to be a harmless software update. 

This year, LockBit ransomware was used to exploit two critical vulnerabilities (CVE-2024-1708 and CVE-2024-1709) in ConnectWise ScreenConnect, giving the attackers unauthorized access and the ability to execute malicious code remotely. Reports suggest that about 30 companies were affected and had their data encrypted. 

These incidents underscore the critical need for strong security measures around RMM tools. 

Mitigating RMM Exploitation 

To address the growing threat of RMM-based attacks, organizations must implement proven mitigations strategies. 

As CYREBRO’s SOC Team Lead, Daniel Ben Asayag explains: 

“Every time I hear about an RMM exploit, I’m reminded that our greatest strengths can also turn into our biggest vulnerabilities. It feels like we’re always walking a tightrope. While RMM tools can greatly boost IT team efficiency, threat actors see RMM tools as a vector into networks and infrastructures. To combat this, organizations need to reinforce these entry points with strong policies and quick IR capabilities. Securing and monitoring RMM systems is not just an IT task, it’s a fundamental aspect of cybersecurity strategy.” 

Here are some best practices to follow: 

Strong Authentication and Access Controls: Limit who can use RMM tools by implementing multi-factor authentication (MFA) and strict access policies such as the Principle of Least Privilege (POLP) and Role-based Access Control (RBAC). 

Endpoint Detection and Response (EDR): Employ advanced EDR solutions to monitor and respond to suspicious activities related to RMM tools. 

Continuous Monitoring: Maintain 24/7 surveillance of RMM tool usage and network activity to catch signs of compromise, such as unusual login attempts or unauthorized access. 

Regular Security Audits: Conduct frequent vulnerability assessments and software updates to identify vulnerabilities and address known flaws in RMM tools. 

Employee Training: Educate staff about the risks associated with RMM tools and best practices for secure usage. 

Secure Deployment and Configuration: Always follow the RMM provider’s best practices for deploying and configuring the tool, which should include limiting permissions and using secure communication protocols. 

Take Security One Step Further: The Role of MDR Solutions 

While mitigation strategies are essential, organizations prioritizing security should, at a minimum, implement a centralized logging and monitoring solution to track RMM tool usage across the network. 

However, a far better option would be an end-to-end Managed Detection and Response (MDR) solution, which offers a more comprehensive and proactive approach to security, identifying early signs of RMM-based attacks and other threats originating from various attack vectors. 

Here’s what sets MDRs apart from other types of security solutions: 

Continuous Monitoring: MDRs provide round-the-clock monitoring of networks, endpoints, and cloud environments, including RMM tool usage. 

Advanced Threat Hunting: Expert analysts use their experience and sophisticated techniques to proactively search for the initial signs of malicious activity. 

Rapid Incident Response (IR): When threats are detected, MDR teams can quickly respond and contain incidents before they escalate. 

Security Data Lake Integration: Advanced MDR solutions incorporate security data lakes, providing a scalable centralized repository for comprehensive analysis and correlation of events from all security and non-security. 

Machine Learning (ML) and AI: Advanced analytics and ML algorithms step in to automate manual tasks, accurately prioritize and triage alerts based on severity and accelerate identification and IR times.  

Mitigation Strategies and MDR: A Winning Combination

RMM tools are essential for IT management but can be exploited like any tool. Security leaders must be vigilant and take proactive measures to secure every tool in use and their entire IT environment.  

By implementing effective mitigation strategies with an MDR solution in its center, organizations can reduce the risks associated with RMM tools while still benefiting from their operational efficiencies and hardening their overall security posture.