Hackers abuse legitimate remote monitoring and management tools in attacks

Hackers abuse legitimate remote monitoring and management tools in attacks

Researchers and government agencies warn that threat actors are increasing their use of legitimate remote monitoring and management (RMM) tools to enable financial scams.

Researchers from Cisco Talos reported this week that one particular commercial RMM tool called Syncro was observed in a third of the incident response cases the company was engaged in during the fourth quarter of 2022.

RMM tools are commonly used by managed service providers (MSPs) and IT help desks so their presence on an organisation’s network and systems might not raise suspicion.

In a number of the attacks discovered, threat actors sent help-desk-themed phishing emails to employees on both their government-issued and personal email addresses.

The email link led to a website that prompted an executable download. If run, this file connected to a second domain controlled by the attackers and downloaded RMM tools such as ScreenConnect (now ConnectWise Control) and AnyDesk in self-contained portable executable format.

Malicious operators then instructed victims through the RMM software to open their bank account in the browser and used their access to modify the bank statement to show a larger-than-normal refund was issued to the victim’s account.

Cisco Talos reported nearly 40 per cent of engagements this quarter featured phishing emails used as a means to establish initial access, followed by user execution of a malicious document or link.

The lack of multi-factor authentication (MFA) remains one of the biggest weaknesses for enterprise networks. In almost 30 per cent of incidents investigated by Talos, MFA was either completely missing or was enabled only for a few critical services and accounts.

How secure is the RMM tool your company uses? Are you using MFA and passphrases to protect your accounts and devices? Would you be able to recognise a financial phishing attempt from a threat actor?

If you are concerned about the security of your RMM or need help understanding your level of risk, request a free assessment to start your journey on protecting your company, employees and customers below. 

Contact