As Managed Service Providers (MSPs) continue to grow in popularity for businesses looking to outsource IT, the tools they rely on, such as Remote Monitoring and Management (RMM) utilities, have become indispensable. These tools offer a wide range of benefits, including the ability to remotely manage endpoints, automate maintenance tasks, and monitor system health. However, with increased reliance on these utilities comes enhanced risk of them being compromised, exploited, and abused by cybercriminals.
RMM tools are designed to give MSPs comprehensive control over their clients' IT environments. They enable MSPs to deploy software, manage updates, troubleshoot issues, and enforce security policies without being physically present. The centralization and automation capabilities of these tools enhance efficiency and service delivery, making them an attractive option for MSPs. However, these same features also make RMM tools a prime target for cyber attackers.
When threat actors gain access to an RMM tool, they can potentially control numerous systems across multiple organizations. This level of access can lead to devastating consequences, including widespread data breaches, ransomware deployments, and the complete shutdown of business operations. The attacks on Kaseya and ConnectWise highlight the severe impact of such breaches.
The Kaseya VSA attack in July 2021 is a prime example of RMM tool exploitation. In brief, the REvil ransomware group exploited zero-day vulnerabilities (CVE-2021-30116) within Kaseya’s VSA software to deploy ransomware to hundreds of businesses through their MSPs.
Through SQL injection and Remote Code Execution, the threat actors bypassed authentication and executed arbitrary commands on affected systems. Once they gained control, they deployed ransomware to encrypt data on thousands of endpoints. The cascading effect was monumental, with businesses around the globe experiencing operational disruptions and demanding ransom payments for data decryption.
One of the most concerning aspects of this attack was how it exploited the trusted nature of the RMM tool. The malicious payload disabled antivirus software on target systems before deploying ransomware, taking advantage of the elevated privileges of RMM agents. Furthermore, the attackers dropped malicious files into the C:\kworking\ directory, a location often excluded from antivirus scans due to its use by the RMM tool for legitimate operations.
In 2020, ConnectWise disclosed a vulnerability in its Control remote access product that could allow an attacker to execute arbitrary code on the underlying server and gain elevated privileges. This flaw was particularly concerning because it could enable attackers to move laterally across networks and compromise additional systems managed by the MSP.
Although ConnectWise responded quickly with a patch, the incident highlighted the potential for RMM tools to be exploited by threat actors seeking to gain broad access to multiple systems. It emphasized the need for continuous monitoring, timely updates, and stringent access controls to mitigate such risks.
To protect against the exploitation of RMM tools, MSPs need to adopt a multi-layered security approach. This includes:
RMM tools remain a critical component of MSP operations, but their powerful capabilities also make them an attractive target for cybercriminals. By understanding the technical aspects of RMM exploitation and implementing comprehensive security measures, MSPs can significantly reduce their risk exposure.
Remember, security is an ongoing process. Regularly reassess your RMM security posture, stay informed about emerging threats, and be prepared to quickly adapt your defenses. By maintaining vigilance and implementing strong technical controls, MSPs can leverage the benefits of RMM tools while minimizing the associated risks. This also doesn’t mean you have to do it alone; by partnering with a trusted security vendor such as Todyl, these time-consuming, difficult tasks can be completed with ease.
