NSA, CISA Issue Guidance on Preventing RMM-Enabled Cyberattacks
New guidance from the National Security Agency and the Cybersecurity and Infrastructure Security Agency aims to help organizations prevent cyberthreats from remote monitoring and management software.
The guidance identifies malicious domains tied to RMM-enabled threats and encourages enterprises to audit their tools. It also encourages RMM software users to review logs and take other steps to mitigate potential attacks.
According to CISA, attackers used legitimate RMM software in June 2022 to send a phishing email to a federal civilian executive branch employee. The email contained a phone number that enabled the hackers to attack networks when accessed.
CISA also noted that in the second half of 2022, malicious activities took place on two federal civilian executive branch networks. The illicit activities involved bi-directional traffic occurring between one network and a malicious domain.
The newly released guidance states that attackers have been sending emails that look like help desk correspondence, but actually contain links that would then install an executable file on victim computers and ultimately allow attackers to link to the RMM server.
The technique allows hackers to circumvent risk management systems because the attacks start with an executable file that works on local devices.
CISA warned RMM users that similar attacks could happen in the future, and they could target managed service providers and IT help desks, which regularly use RMM tools.
Tags: cybersecurity Cybersecurity and Infrastructure Security Agency cybersecurity guidance FCW National Security Agency remote monitoring and management