US Cybersecurity Agency Warns About Attacks Using RMM Tools

The threat of MSPs and their clients being targeted in attacks involving remote management software continues to be a major issue, CISA says in the warning.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that the malicious use of remote management tools continues to pose a major threat, pointing to a “widespread” cyberattack campaign from last fall that employed legitimate remote monitoring and management (RMM) software.

In May 2022, cybersecurity firms including ThreatLocker and Blackpoint Cyber reported observing that malicious actors were using remote management tools as part of cyberattacks including ransomware. That same month, international and U.S. cybersecurity authorities said they were aware of reports showing an increase in cyberattacks targeting managed service providers, and warned that stepped-up attacks on MSPs could be expected.

[Related: Free Trials Of RMMs Are Being Used By Bad Actors: Blackpoint Cyber CEO]

This week, CISA renewed the warning about the threat that MSPs are facing from cyberattacks targeting them and their customers.

“Threat actors often target legitimate users of RMM software” such as MSPs and IT help desks, CISA said in the alert posted on its website. “These threat actors can exploit trust relationships in MSP networks and gain access to a large number of the victim MSP‘s customers.”

Ultimately, “MSP compromises can introduce significant risk—such as ransomware and cyber espionage—to the MSP’s customers,” CISA said.

CISA disclosed that it has identified a “widespread cyber campaign involving the malicious use of legitimate RMM software” that took place last October. As part of the campaign, cybercriminals sent out phishing emails with the goal of getting users to download legitimate RMM software, leading to the theft of funds from the users’ bank accounts.

CISA identified ScreenConnect (now known as ConnectWise Control) and AnyDesk as the RMM tools used in the attacks, though “threat actors can maliciously leverage any legitimate RMM software,” the agency noted.

In a statement provided to CRN, ConnectWise said that, “Unfortunately, software products intended for good use, including remote control tools, can be frequently used by bad actors for malicious purposes. As a company, we strive to be proactive and work diligently to prevent this from happening through training and education as well as the use of comprehensive security tools to detect harmful behavior.”

Upon being “alerted of this behavior, ConnectWise regularly issues take-down requests to remove malicious sites and domains,” the company said in the statement.

CRN has reached out to AnyDesk for comment.

The use of RMM tools offers several advantages to attackers, including saving the attackers from having to create custom malware, as well as having the ability to bypass administrative requirements and software control policies when downloaded as a self-contained executable. RMM tools usually don’t end up getting blocked by anti-malware or antivirus products, either.

With the latest report from CISA, it’s clear that using RMM tools in cyberattacks is a top priority for many threat actors, said Ryan Loughran, help desk manager at New York-based managed IT services firm KJ Technology. Given the fact that such attacks can have severe consequences for both MSPs and their customers, it’s a threat that deserves more attention, Loughran said.

Many small and medium-sized businesses, in particular, don’t think about the potential for being targeted with this type of attack, he said. “It really is a topic that isn’t spoken about enough,” Loughran told CRN.

For that reason, security awareness training for all sizes of business is essential, said Paco Lebron, founder and CEO of ProdigyTeks, a Chicago-based MSP. Lebron has made it a requirement for his customers to participate in awareness training programs, in fact, which emphasizes the risks posed by phishing and social engineering attacks, and the need to avoid downloading unknown software.

“If they’re not going to do security awareness training, they’ll need to find someone else” to be their MSP, Lebron told CRN. “It starts with education.”

The bottom line is that more MSPs need to start viewing themselves as critical infrastructure, according to Robby Hill, CEO of HillSouth, a Florence, S.C.-based MSP. “Protecting MSPs is vital” on a national level, Hill said.

Importantly, there are resources available to assist MSPs, such as joining a cybersecurity task force — local, state or national — which can provide access to best practices and intelligence briefings on where these types of threats are headed, he said.

In October 2021, Microsoft said that the Russia-aligned hackers who were behind the SolarWinds breach had targeted more than 140 IT resellers and service providers in the prior months, and compromised as many as 14. The hackers sought to piggyback on the direct access resellers have to their customers’ IT systems and impersonate them to gain access to their downstream customers, a Microsoft executive said at the time.