https://www.channelfutures.com/wp-content/themes/channelfutures_child/assets/images/logo/footer-new-logo.png
  • Home
  • Technologies
    • Back
    • SDN/SD-WAN
    • Cloud
    • RMM/PSA
    • Security
    • Telephony/UC/Collaboration
    • Cable
    • Mobility & Wireless
    • Fiber/Ethernet
    • Data Centers
    • Backup & Disaster Recovery
    • IoT
    • Desktop
    • Artificial Intelligence
    • Analytics
  • Strategy
    • Back
    • Mergers and Acquisitions
    • Channel Research
    • Business Models
    • Distribution
    • Technology Solutions Brokerages
    • Sales & Marketing
    • Best Practices
    • Vertical Markets
    • Regulation & Compliance
  • MSP 501
    • Back
    • 2023 MSP 501 Application
    • 2022 MSP 501 Rankings
    • 2022 NextGen 101 Rankings
  • Intelligence
    • Back
    • Galleries
    • Podcasts
    • From the Industry
    • Reports/Digital Issues
    • Webinars
    • White Papers
  • Channel Futures TV
  • EMEA
  • Channel Chatter
    • Back
    • People on the Move
    • New/Changing Channel Programs
    • New Products & Services
    • Industry Honors
  • Resources
    • Back
    • Advisory Boards
    • Industry Organizations
    • Our Sponsors
    • Advertise
    • 2023 Editorial Calendar
  • Awards
    • Back
    • 2022 MSP 501
    • Channel Influencers
    • Circle of Excellence
    • DE&I 101
    • Technology Advisor 101 (TA 101)
    • Channel Leaders Lists
  • Events
    • Back
    • 2023 Call for Speakers
    • CP Conference & Expo
    • MSP Summit
    • Channel Partners Europe
    • Channel Partners Event Coverage
    • Webinars
    • Industry Events
  • About Us
  • DE&I
Channel Futures
  • NEWSLETTER
  • Home
  • Technologies
    • Back
    • SDN/SD-WAN
    • Cloud
    • RMM/PSA
    • Security
    • Telephony/UC/Collaboration
    • Cable
    • Mobility & Wireless
    • Fiber/Ethernet
    • Data Centers
    • Backup & Disaster Recovery
    • IoT
    • Desktop
    • Artificial Intelligence
    • Analytics
  • Strategy
    • Back
    • Mergers and Acquisitions
    • Channel Research
    • Business Models
    • Distribution
    • Technology Solutions Brokerages
    • Sales & Marketing
    • Best Practices
    • Vertical Markets
    • Regulation & Compliance
  • MSP 501
    • Back
    • 2023 MSP 501 Application
    • 2022 MSP 501 Rankings
    • 2022 NextGen 101 Rankings
  • Intelligence
    • Back
    • Galleries
    • Podcasts
    • From the Industry
    • Reports/Digital Issues
    • Webinars
    • White Papers
  • Channel Futures TV
  • EMEA
  • Channel Chatter
    • Back
    • People on the Move
    • New/Changing Channel Programs
    • New Products & Services
    • Industry Honors
  • Resources
    • Back
    • Advisory Boards
    • Industry Organizations
    • Our Sponsors
    • Advertise
    • 2023 Editorial Calendar
  • Awards
    • Back
    • 2022 MSP 501
    • Channel Influencers
    • Circle of Excellence
    • DE&I 101
    • Technology Advisor 101 (TA 101)
    • Channel Leaders Lists
  • Events
    • Back
    • 2023 Call for Speakers
    • CP Conference & Expo
    • MSP Summit
    • Channel Partners Europe
    • Channel Partners Event Coverage
    • Webinars
    • Industry Events
  • About Us
  • DE&I
    • Newsletter
  • REGISTER
  • MSPs
  • VARs / SIs
  • Agents
  • Cloud Service Providers
  • Channel Partners Events
 Channel Futures

Security


Shutterstock

Man's silhouette behind a transparent cell graphic and the letters RMM

Hackers Use Legitimate RMM Software to Steal from Federal Employees

  • Written by Edward Gately
  • January 27, 2023
Attacks on RMMs have caused "insurmountable" losses for SMBs.

A new joint cybersecurity advisory warns of cybercriminals’ malicious use of legitimate remote monitoring and management (RMM) software.

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released the advisory. Several federal civilian executive branch (FCEB) agencies fell victim to a financially motivated phishing campaign.

In October, CISA identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, threat actors sent phishing emails that led to the download of legitimate RMM software – ScreenConnect (now ConnectWise Control) and AnyDesk – which they used in a refund scam to steal money from victim bank accounts.

As of last June, CISA has observed threat actors sending help desk-themed phishing emails to FCEB staff’s personal and government email addresses.

After downloading the RMM software, threat actors typically use it to initiate a refund scam. They convince the target to log into their bank account while still connected to the system.

Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional types of malicious activity. For example, the actors could sell victim account access to other cybercriminal or advanced persistent threat (APT) actors.

Campaign Highlights Threats Associated with RMM Software

This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software. After gaining access to the target network via phishing or other techniques, malicious cyber actors, from cybercriminals to nation-state sponsored APTs, are known to use legitimate RMM software as a backdoor for persistence and/or command and control.

Using portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation. They effectively bypass common software controls and risk management assumptions.

Michael Jenkins, ThreatLocker‘s CTO, said the weaponization of RMMs has been an ongoing theme in recent times.

ThreatLocker's Michael Jenkins

ThreatLocker’s Michael Jenkins

“RMM is the foundation of business operations for MSPs and IT help desks, giving administrators the functionality of remote access, remote patching, installing software and overall maintenance,” he said. “As it is such a vital business tool for IT professionals, RMMs have access to a tremendous amount of data. Hackers manipulating these tools will be like handing the keys to the kingdom or your organization.”

Modern-day attacks on RMMs have caused “insurmountable” losses for SMBs, possibly crippling the company as they suffer from more extended downtime than larger enterprises, Jenkins said.

“Most importantly, it is a loss of trust and confidence from the end-user,” he said. “To defend against the manipulations of RMMs and other supply chain attacks, IT administrators should utilize a zero trust model as a baseline in their cybersecurity offerings.”

Using RMM Software Reduces Hackers’ Risk

Patrick Tiquet is Keeper Security‘s vice president of security and architecture. He said cybercriminals reduce their risk of discovery when using legitimate software such as RMM that may have already been installed on the victim’s device.

Keeper Security's Patrick Tiquet

Keeper Security’s Patrick Tiquet

“Using portable executables provides a way for these bad actors to establish local user access without the need for administrative privilege or full software installation,” he said. “A malicious attack that’s launched through legitimate software bypasses common software controls and creates fewer new files that detection tools would catch.”

These government employees likely focused on the “pinstripes” of the email, such as the logo or colors of a legitimate site, to lure them into clicking, and thus executing the malicious download of RMM software, Tiquet said.

“Portable executables of this legitimate software were used to steal money from the victims,” he said. “However, the access provided through this scheme also puts these organizations at risk of additional malicious activity as well. Government network defenders should review the indicators of compromise and apply CISA’s mitigation recommendations immediately. And all organizations should be aware and on the lookout for this type of phishing scheme. It’s equally important to train employees how to identify suspicious phishing emails or smishing text messages that seek to install malware into critical systems, prevent user access and steal sensitive data.”

Thwarting Social Engineering

Erfan Shadabi is head of marketing at Comforte AG, a data security provider.

Comforte's Erfan Shadabi

Comforte’s Erfan Shadabi

“All it takes is one moment of inattention or gullibility, and the threat actor carrying out social engineering techniques is one step closer to the ultimate goal,” he said. “Organizations can do two things. One, build an organizational culture that values data privacy and encourages employees to slow down and consider all of the ramifications before acting on requests for sensitive information. If business leaders can get behind initiatives that help employees take the time to do the right thing, then the culture of data privacy and data security will be that much stronger. Two, IT leaders can consider data-centric security as a means to protect sensitive data rather than the perimeters around data.”

Tokenization, for example, doesn’t just make sensitive data elements incomprehensible, Shadabi said. It also preserves data format so business applications and users can still work with the data in protected states.

“If you never de-protect data, chances are that even if it falls into the wrong hands, the sensitive information cannot be compromised,” he said.

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.
Tags: MSPs Best Practices Cloud EMEA Mobility & Wireless RMM/PSA Security Technologies

Most Recent


  • network in the cloud
    Fortinet, Huawei, Palo Alto, VMware Lauded in Gartner Peer Insights SD-WAN Study
    Thousands of customers have weighed in on how their SD-WAN vendors have performed.
  • Do AWS, Azure, Google, Oracle, Others, Have Too Much Market Power?
    The FTC, concerned about cloud vendors’ sway over customers, is seeking public comment.
  • Unemployed, layoffs
    Veeam Layoffs Impact 200 Workers, Company Remains 'Strong, Profitable'
    Veeam continues to hire for roles in R&D.
  • artificial intelligence focus
    Channel AI Breakthroughs: AT&T, Nvidia, GoTo, Twilio
    AT&T is the first telecommunications provider to explore the use of a full suite of Nvidia AI offerings.

Leave a comment Cancel reply

-or-

Log in with your Channel Futures account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

Related Content

  • Managed Security
    TD Synnex Joins Chorus to Offer Managed Security Service
  • Opti9's Katlyn Taylor
    Channel People on the Move: Lumen, HPE, Fortinet, Five9, Comcast, More
  • Cloud security
    Radware Rolls Out New Partner Program Focused on Cloud Security
  • Mergers acquisitions m&a goldfish crackers
    OpenText to Lay Off 8% of Workforce, Fueled by $5.8 Billion Micro Focus Acquisition

Upcoming Events

View all

Channel Partners Conference & Expo

May 1, 2023 - May 4, 2023

Channel Partners Europe

June 13, 2023 - June 14, 2023

Channel Futures Leadership Summit

October 30, 2023 - November 2, 2023

Galleries

View all

National Women’s History Month: Channel Women Have Stories to Tell

March 24, 2023

VEC Attack Tries to Steal $36 Million, Ferrari, Dole Hit with Ransomware Attacks

March 23, 2023

Channel Futures’ 2023 Channel Influencers Dish on Work Philosophy

March 23, 2023

Industry Perspectives

View all

Selling Your MSP: Strategic vs. Financial Buyers

March 22, 2023

10 Strategic Smart Enterprise Drivers for 2023

March 16, 2023

Does Your Company Have a Virtual Water Cooler?

March 13, 2023

Webinars

View all

Equipping the Hybrid Workforce: What It Takes to Execute

March 28, 2023

Give Customers the Power: How MSPs Can Leverage Cloud Choice

April 4, 2023

DE&I Dialogue: How the Right DE&I Initiatives Can Propel Your Business

April 5, 2023

White Papers

View all

6 UCaaS Reseller Challenges and How Real World Businesses Solved Them

February 1, 2023

Frost Radar: North American UCaaS Market, 2022

February 1, 2023

The Complete Guide to White-Label UCaaS for Reseller Success

February 1, 2023

Channel Futures TV

View all

Coffee with Craig and James Episode 121: Hewlett Packard Enterprise

Aryaka ‘Driving Value to the Channel Community’ with Throttle

March 24, 2023

Real-Life M&A: Advice for a Successful Channel Deal

March 13, 2023

Coffee with Craig and James Episode 120: Ronnell Richards

March 3, 2023

Twitter

ChannelFutures

We delve into AI impacting the channel, this week featuring @nvidia, @GoTo, @twilio and more.… twitter.com/i/web/status/1…

March 24, 2023
ChannelFutures

[email protected]_Inc's Peer Insights are a treasure trove for partners looking to sell #SDWAN. dlvr.it/SlRDmk https://t.co/oElLXzOIbb

March 24, 2023
ChannelFutures

#CPExpo preview: @GlobalIndirect of @AryakaChannel with a preview of the next phase of the company's channel progra… twitter.com/i/web/status/1…

March 24, 2023
ChannelFutures

U.S. competition regulators want to know if @AWSCloud, @Azure, @GoogleCloud, @OracleCloud hold too much market powe… twitter.com/i/web/status/1…

March 24, 2023
ChannelFutures

📣 Join us on April 13th to hear from the 2023 Channel Influencers and get their insights on the state of the channe… twitter.com/i/web/status/1…

March 24, 2023
ChannelFutures

#CPExpo preview: Learn about why @USWired accepted an #acquisition deal and what partners should look for in an M&A… twitter.com/i/web/status/1…

March 24, 2023
ChannelFutures

.@Veeam lays off 200 workers to increase efficiency. #backupandrecovery dlvr.it/SlQWZW https://t.co/QTJx1NX69q

March 24, 2023
ChannelFutures

We asked EMEA channel experts for their predictions on such topics as the economy, cloud, sustainability and M&A. H… twitter.com/i/web/status/1…

March 24, 2023

MSP 501

The industry's largest and most comprehensive partner awards program.

Newsletters and Updates

Sign up for The Channel Report, Channel Futures Update, MSP 501 Newsletter and more.

Live Channel Events

Get the latest information on the next industry-leading Channel Partners event.

Galleries

Educational slide shows and images from live events.

Media Kit And Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • Channel Partners Events
  • Telecoms.com
  • MSP 501
  • Black Hat
  • IoT World Today
  • Omdia

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Newsletter

FOLLOW Channel Futures ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookie Policy
  • Terms
Copyright © 2023 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X