Are you aware of the legitimate software running in your environment? Attackers and threat actors are increasingly using software such as TeamViewer and Simple Help. These are tools typically used for administrating internal IT, facilitating the work of administrators, and aiding help desks in organizations around the world. Now, they are being employed by threat actors to carry out malicious attacks.
In our Security Operation Center (SOC) in Gothenburg, Sweden, our cybersecurity analysts work around the clock, year-round, to identify and respond to threats in our clients’ environments. Lately, we have observed that attackers are increasingly turning to legitimate software to avoid detection.
This type of software, often referred to as Remote Monitoring and Management (RMM), is used for remote monitoring and management by IT administrators and help desks to administer networks and remotely support users. The advantage of RMM is that it is often powerful and easy to use, saving time for internal resources. The downside is that it can enable threat actors to quickly act and carry out attacks in their targets’ environments.
The use of legitimate software by attackers in this manner is not new and has been noted for a long time. However, the fact that we are now seeing it on a larger scale means that organizations need to pay increased attention to monitoring the tools used in their environment.
How can I tell if I have been attacked?
Examine whether there is RMM software in your network that your organization does not use. If there is software installed and not used by the IT department, there is a risk that you are under attack. Review the legitimate software that your organization should use according to your policy and ensure that these are the ones installed. Other installed software that is not legitimate may be an indicator that an attacker has access to the environment and breached your network .
What happens if threat actors use RMM?
When threat actors employ Remote Monitoring and Management (RMM) software, they mimic the actions of a genuine IT administrator or help desk, even though their intentions are malicious. This could involve activities such as installing additional malicious software, stealing sensitive information, or secretly monitoring user activities.
Is your organization protected?
NTT Security continuously collaborates with organizations at strategic, tactical, and operational levels to build secure architecture , create the right visibility for detection, and provide effective capabilities to respond when threats are detected in all types of environments. Our Samurai Managed Detection and Response (MDR) service helps your organization detect hard-to-find threats, and we counteract complex and sophisticated cyber attacks, leveraging Machine Learning and Threat Intelligence.