Security researchers warn that an increasing number of attackers are using legitimate remote monitoring and management (RMM) tools in their attacks to achieve remote access and control over systems. These tools are commonly used by managed service providers (MSPs) and IT help desks so their presence on an organization’s network and systems might not raise suspicion.
Researchers from Cisco Talos reported this week that one particular commercial RMM tool called Syncro was observed in a third of the incident response cases the company was engaged in during the fourth quarter of 2022. However, this wasn’t the only such tool used.
Separately in a joint advisory this week, the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) the and Multi-State Information Sharing and Analysis Center (MS-ISAC) warned about the use of RMM tools in a refund scam that targeted the employees of multiple federal agencies.
“This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious cyber actors—from cybercriminals to nation-state sponsored APTs—are known to use legitimate RMM software as a backdoor for persistence and/or command and control (C2),” the agencies wrote in their advisory.
Delivery as self-contained portable executables
In the attacks that CISA and its partners discovered, a group of…
