On February 19, 2024, ConnectWise published a security bulletin detailing two critical vulnerabilities within their on-premises ScreenConnect software, stating that the vulnerabilities have the potential to result in remote code execution (RCE).
ScreenConnect is a widely utilized Remote Monitoring and Management (RMM) tool that has been leveraged by threat actors in the past, often in connection with ransomware attacks. The Arctic Wolf Labs team immediately distributed a security bulletin to all customers, as our threat intelligence team had assessed with high confidence that threat actors would target these vulnerabilities in the near-term due to the severity of the vulnerabilities, including potential for remote code execution (RCE).
This threat event was simply the latest in a long line of RMM vulnerabilities and exploits. And this trend won’t be slowing down anytime soon. So, what can an organisation do to prevent cyber attacks through their RMM tools? It starts with understanding what they are, what they do, and how threat actors can exploit them.
What Is Remote Monitoring and Management?
Remote Monitoring and Management (RMM) tools enable organisations to oversee a distributed network of IT systems, networks, and endpoints, which has become an essential capability in the modern world where many users can work from anywhere, anytime. RMM tools are designed to protect these users and the data they access and store, but optimising and managing these tools can be a challenge for in-house IT and security teams. And not doing so can have dire consequences for an organisation’s cybersecurity.
Vulnerabilities in remote access tools, such as ConnectWise, have become a favorite for threat actors seeking initial access, and that danger has only grown. In 2023, we saw threat actors get more creative in the ways they leverage and abuse RMM tools, which allow them to blend into normal enterprise network traffic, obfuscating their efforts and their presence.
The Benefits of Remote Monitoring and Management Tools
RMM tools and software, like all aspects of an organisation’s tech stack, are a double-edged sword. They enable access across a distributed environment, which is essential for working in the modern, interconnected world. But, by doing so, they also expand an organisation’s attack surface, increasing the security burden on already taxed IT and security teams. Still, the risks have proven to be worth it for most organisations, and especially managed service providers (MSPs), because of the benefits RMM tools and software provide, including:
- Greater Scalability
- Reduced Downtime
- Improved Automation
- Enhanced Security
These security features can help security teams better protect their environment, however the preconfigured settings are often of little practical value to an organisation, and optimising these features takes time and staff power that many organisations simply can’t spare.
And it’s here, when overworked security teams can’t spare the budget, time or staff to optimise and effectively manage RMM tools that the risks begin to rise.
The Risks of Remote Monitoring and Management Tools
Threat actors are increasingly gaining access to networks through remote management tools that IT providers use to manage networks. These tools — such as Microsoft Remote Desktop Protocol, ConnectWise Automate, Kaseya, and TeamViewer — are all but ubiquitous in the modern threat landscape, as they are essential to business operation and system maintenance. Unfortunately, if an attacker gains access to them via something like token theft, credential harvesting, or phishing, they can take any action they desire on the target network. These tools typically have full management capabilities for every single system, which means with a few clicks, attackers can steal data, delete backups, and deploy ransomware.
Even if your environment doesn’t rely on RMM tools, even if you don’t have a single one in your tech stack, that doesn’t mean your environment is safe from them. In fact, attackers love to install legitimate IT remote access tools in a network as much as they love to breach the RMM tools an organisation might already have. These tools are almost never detected by antivirus and endpoint detection and response (EDR) tools, two primary security solutions employed by organisations at the earlier stages of their security journey. They are also very full featured and easy to use. This makes them a great method of maintaining access to networks.
But these are not the only risks that come with RMM tools. Organisations employing them also must grapple with:
Security Concerns:
RMM tools, by their very nature, regularly store or offer access to sensitive systems, data, and user credentials. The problem is that many in-house security teams don’t have the bandwidth to ensure these tools are properly secured. Threat actors are well aware of all of this, which is why we continue to see an increase in attacks on RMM tools by cybercriminals. A breach of this kind of sensitive information can lead to extortion, future cyber attacks, and issues maintaining cyber insurance and compliance.
Misconfigurations:
RMM tools rarely come fully ready to deploy in an organisation’s tech stack, because the factory settings haven’t been fine-tuned for the individual environment. Failure to properly configure an RMM tool, or the misconfiguration of one, can introduce new vulnerabilities and risk.
Too Much Automation:
The double-edged sword strikes again. RMM tools enable essential automation of routine tasks, but overreliance on this automation can introduce new risk as IT and security teams afford the tools too much trust, leading to a lack of security expert oversight and things that shouldn’t get missed getting missed.
Integration Challenges:
Any new tool or solution needs to be able to play nice with the rest of your tech stack. However, RMM tools can struggle to fully integrate with existing IT infrastructure, leading to incompatibilities that can introduce vulnerabilities and reduce their efficacy.
The proper management and optimisation of RMM tools can reduce or mitigate these risks, but doing so requires consistent updates and patching, which can again increase the workload on a security team.
How To Combat the Risks of RMM Tools
RMM tools have become a vital part of the cybersecurity toolbox. But, as with any tool in an organisation’s tech stack, the value they provide can’t be outweighed by the risk they introduce. IT and security teams can combat those risks, as well as reduce or eliminate them, through a series of proactive strategies.
Identity Threat Detection and Response (ITDR)
ITDR combines threat intelligence, identity best practices, tools, and processes to protect identities within an organisation. ITDR should include regular analysis of permission configurations, multi-factor authentication (MFA), PAM, and the monitoring of users and identity sources. Many managed detection and response (MDR) solutions can now monitor identities in addition to other environment components.
Identity and Access Management (IAM)
The three main tenants of IAM are governance, or the determination of who has access to what, control of that access, and the continuous monitoring of users and their access. IAM should be regularly adjusted as operational and security needs change. IAM strategies often follows a zero trust framework and should employ the principle of least privilege access (PoLP) to prevent threat actors from using password-based attacks for privileged access.
Comprehensive Security Awareness Training
Many cyber attacks begin with the user — whether it’s the user falling for a phishing email or not practicing strong password hygiene — so educating users and reducing human risk is paramount to better security for your RMM tools. Strong security awareness training should include up-to-date content, phishing simulations, compliance training, and engage users with tactics such as micro learning to increase resilience.
Proactive Patch Management
Keeping your RMM tools and associated systems up to date with the latest patches and security updates will mitigate any known vulnerabilities and prevent their exploitation by threat actors.
Incident Response Planning
Developing and documenting an incident response plan, as well as engaging with an incident response provider, can help your quickly recover from a successful cyber attack sprung from your RMM tools and help you restore business operations to a pre-incident state.
However, effectively and proactively mitigating and reducing the risks inherent in RMM tools can be a tall order to ask of an in-house security team, which is why many are turning to a third-party solution provider.
How Arctic Wolf Can Help
The primary risks around RMM tools involve incomplete monitoring and ineffective vulnerability management: two things that require time, staffing, and expertise.
The Arctic Wolf® Security Teams ensure we have a complete understanding of your unique IT environment right from the start. Our Security Operations Center (SOC) then monitors security events across your entire environment, including network, cloud, server, endpoint, RMM tools, and IoT devices. These events are enriched and analyzed by the Arctic Wolf® Platform to provide your team with 24×7 coverage and essential security operations expertise, elevating only true threats, with our Concierge Security® Team delivering strategically tailored security recommendations to continuously improve your overall posture.
With the 24×7 monitoring, detection and response capabilities of Arctic Wolf® Managed Detection and Response, we ensure your RMM tools are optimised for your environment and that no important event is missed. And the proactive vulnerability and risk management provided Arctic Wolf® Managed Risk helps you discover and assess the digital risks you face and harden your environment against them.
Discover the top ten vulnerabilities you should address to make it less likely your organization will face a cyber attack in the Arctic Wolf Labs 2024 Threat Report.
Learn how organizations around the globe are establishing priorities and addressing top security challenges in The State of Cybersecurity: 2024 Trends Report.
