CISA Unveils Plan to Slow the Hacker Abuse of RMM Tools

The nation’s top cybersecurity agency is rolling out a plan to address the security of remote monitoring and management (RMM) tools that are used by legitimate companies to improve the performance of IT systems but can pose a multiplying security risk when abused by hackers.

The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the private sector through the Joint Cyber Defense Collaborative, this week published the Cyber Defense Plan for Remote Monitoring and Management, a roadmap for securing what has become an important tool for companies like managed service providers (MSPs) and an effective weapon in threat actors’ arsenals.

The new plan is the latest in a larger effort to address the risks arising from RMM software and the threats to MSPs, which are attractive targets for cybercriminals. MSPs use RMM and similar tools to remotely monitor their customers’ endpoints in real time and manage an array of IT systems, from servers to PCs to networks.

Given that, a bad actor that can hack into a single MSP can leverage the remote connections to access the IT environments of myriad downstream customers.

“Malicious cyber actors continue to target managed service providers, which can significantly increase downstream risk to the businesses and organizations they support,” CISA Director Jen Easterly said in a statement in May, when CISA and other US and international agencies outlined security best practices for MSPs. “It’s critical that MSPs and their customers take action to protect their networks. Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain.”

Two Pillars with Multiple Goals

The new RMM guidelines include two overarching pillars – operational collaboration and cyber-defense. Within those areas, the plan urges expanding the amount of cyberthreat and vulnerability information shared between the government and RMM vendors and users, maturing efforts to scale security in RMM software, educating user about security best practices, and amplifying advisories and alerts within the RMM ecosystem.

“This plan addresses issues facing the top-down exploitation of RMM software, through which cyber threat actors gain footholds into managed service provider servers and, by extension, into thousands of customer networks,” CISA wrote.

Hackers for several years have been targeting MSPs and RMM software. The high-profile 2021 breach of Kaseya involved the compromise of the company’s VSA RMM platform by the REvil ransomware gang, which affected dozens of MSPs and hundreds of client companies.

Cybersecurity firm Red Canary said last year that other ransomware groups, such as Conti and Avos Locker, also have used software suits like ScreenConnect – now called ConnectWise Control – Atera, and AnyDesk to compromise IT systems and gain persistence. Other threat actors also leverage RMM tools to deploy backdoors and other malware.

Some hackers also will sell the access they have to other cybercriminals and nation-state actors to use.

“The benefits RMM provides to system administrators – remote access and configuration and control of an endpoint – are the same reasons a threat actor find RMM software to be an attractive target,” Melissa Bischoping, director of endpoint security research at cybersecurity firm Tanium, adding that the new plan should help reduce the security risks from the software. “These types of applications are popular ‘living off the land’ resources for attackers because they are unlikely to trip common EDR or antivirus detections and often operate with a high level of permissions on the devices they control.”

CISA Warnings

In January, CISA, the National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a warning about a large campaign detected in October 2022 that was using legitimate RMM tools like ScreenConnect and AnyDesk in a refund scam to steal money from victims’ bank accounts.

“This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious cyber actors – from cybercriminals to nation-state sponsored APTs – are known to use legitimate RMM software as a backdoor for persistence and/or command and control (C2),” the agencies wrote.

AnyDesk officials in October 2022 wrote a detailed blog post about the about the various sophisticated phishing attacks organizations face and steps they can take, admitting that they “are aware that there have been instances where AnyDesk and tools from other Remote Desktop providers have been misused in phishing attempts” and adding that the company is pushing back against scammers.

The RMM plan rolled out by CISA is a component of the National Cybersecurity Strategy released by the Biden Administration in March to scale private-public cooperation and CISA’s Cybersecurity Strategic Plan released earlier this month to push government agencies and the private sector to adopt high-impact security measures.

Avatar photo

Jeffrey Burt

Jeffrey Burt has been a journalist for more than three decades, writing about technology since 2000. He’s written for a variety of outlets, including eWEEK, The Next Platform, The Register, The New Stack, eSecurity Planet, and Channel Insider.

jeffrey-burt has 467 posts and counting.See all posts by jeffrey-burt