New secure remote access software guide covers common exploitations, associated TTPs, recommended best practices

Cybersecurity agencies released a guide to help network administrators and defenders secure remote access software, delivering a collaborative effort and providing an overview of common exploitations and associated tactics, techniques, and procedures (TTPs) used by cyber threat actors. It also includes recommendations to IT/ OT (operational technology) and ICS (industrial control systems) professionals and organizations on best practices for using remote capabilities and how to detect and defend against malicious actors abusing this software.

Authored by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Israel National Cyber Directorate (INCD), with contributions from private sector partners, the document titled, ‘Guide to Securing Remote Access Software,’ covers remote access software that provides IT/OT teams with flexible ways to detect anomalous network or device issues early on and proactively monitor systems. 

“Cyber threat actors are increasingly co-opting these same tools for easy and broad access to victim systems. While remote access software is used by organizations for legitimate purposes, its use is frequently not flagged as malicious by security tools or processes,” the guide assesses. “Malicious actors exploit this by using remote access software to establish network connections through cloud-hosted infrastructure while evading detection. This type of intrusion falls into the category of living off the land (LOTL) attacks, where inherently malicious files, codes, and scripts are unnecessary, and cyber threat actors use tools already present in the environment to sustain their malicious activity.”

“Remote access may be a useful option for many organizations, but it also could be a threat vector into their systems,” Eric Chudow, NSA’s system threats and vulnerability analysis subject matter expert, said in a media statement. “If not properly secured, it could enable cyber actors to use or even have control over systems and resources, and can be used as part of living off the land techniques.”

Last month, U.S. and international cybersecurity partners released a joint cybersecurity advisory highlighting malicious activity executed by a People’s Republic of China (PRC) state-sponsored cyber hacker group known as Volt Typhoon. The agencies have so far revealed that private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and believe the hacker could apply the same techniques against these and other sectors worldwide. It was also identified that one of the hacker’s primary TTPs is living off the land, which uses built-in network administration tools to perform their objectives.

The guide identified that remote monitoring and management (RMM) software in particular has significant capabilities to monitor or operate devices and systems as well as attain heightened permissions, making it an attractive tool for malicious actors to maintain persistence and move laterally on compromised networks. “This enables MSPs or IT help desks to monitor multiple devices and networks at once, however, these same features also make managing multiple intrusions easier for cyber threat actors. In this way, remote access software has become a common, high-value instrument for cyber threat actors, especially ransomware groups.” 

It also added that small- and mid-sized businesses rely on managed service providers (MSPs) and use various types of remote access software to supplement their own IT, OT, and ICS infrastructures and scale network environments without having to develop those capabilities internally. This makes businesses that much more vulnerable to service provider supply chain compromises, exploitation, or malicious use of remote capabilities.

The guide disclosed that remote access software is particularly appealing to threat actors because the software does not always trigger security tools, does not require extensive capabilities development, and may allow hackers to bypass software management control policies. The software also could allow hackers to bypass firewall rules and can facilitate multiple cyber intrusions.

Cyber threat actors use remote access software for initial access, maintaining persistence, deploying additional software and tools, lateral movement, and data exfiltration, the guide added. “As such, remote access software— and RMM in particular—is often used by cybercriminals in ransomware incidents, and in certain APT campaigns.”

The guide added that before leveraging remote access software as part of an intrusion cyber actors may exploit vulnerable software. “This may include exploiting legitimate servers that are then leveraged for malicious purposes. It may also include general network exploitation activities such as installing or placing remote access client software for persistence.” 

“Threat actors may also obtain legitimate, compromised remote access software credentials that ultimately enable them to exercise control over remote endpoints associated with the compromised account,” the document added. “Once initial access is obtained threat actors often use PowerShell or similar command line tools to silently deploy the RMM agent. Often, threat actors leverage multiple RMM mechanisms at once. Sometimes malicious actors also use RMM software in concert with commercial penetration testing tools such as Cobalt Strike or remote access malware to enable multiple, often redundant, forms of access to ensure persistence.” 

It also identified that hackers use remote access software to perform multiple functions and carry out several commonly associated TTPs, such as credential dumps and escalating privileges.

Network administrators and defenders should first establish a security baseline of normal network activity; in other words, network defenders must be thoroughly familiar with a software’s baseline behavior to recognize abnormal behavior and detect anomalous and malicious use. Network defenders should correlate detected activity with other suspicious behavior to reduce false positives. 

The authoring agencies recommend that organizations monitor for unauthorized use of remote access software using EDR tools. Remote access software that may be leveraged by cyber threat actors includes, among others, ConnectWise Control (formerly ScreenConnect), Pulseway, Anydesk, RemotePC, Remote Utilities, Kaseya, NetSupport, GoToMyPC, Splashtop, N- Able, Atera, Bomgar, TeamViewer, Zoho Assist, and LogMeIn.

The authoring agencies recommend that organizations, specifically MSPs who leverage this software to conduct regular business, implement the mitigations below to defend against the malicious use of remote access software. These mitigations align with the CISA’s cross-sector cybersecurity performance goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. 

CISA and NIST have based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures.

Last month, Mandiant detected novel OT/ICS-oriented malware, tracked as CosmicEnergy, uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.