Endpoint/Device Security, Managed Security Services

RMM Attack Vector Update: How MSSPs, MSPs Can Protect Their Tools


This year opened with a warning from the Cybersecurity and Infrastructure Security Agency (CISA) on the threat that managed security service providers (MSSPs) and managed security providers (MSPs) face from cyber attackers striking them and their customers through remote monitoring and management software (RMM).

RMM solutions are most widely used by MSSPs and MSPs to provide remote IT support to clients in different locations. It’s also becoming commonplace for internal IT departments to use RMM tools.

In a January, 2023 bulletin, CISA renewed its warning about the threat that MSSPs and MSPs can be victimized by cyber attackers targeting their customers through valid RMM software.

“Threat actors often target legitimate users of RMM software. Targets can include managed service providers (MSPs) and IT help desks, who regularly use legitimate RMM software for technical and security end-user support, network management, endpoint monitoring, and to interact remotely with hosts for IT-support functions,” CISA said in the alert.

“These threat actors can exploit trust relationships in MSP networks and gain access to a large number of the victim MSP's customers,” the alert reads.

In August, 2023, CISA released the Remote Monitoring and Management (RMM) Cyber Defense Plan, the first proactive document collectively developed by industry and government partners.

A key part of the RMM plan is to advance cybersecurity and reduce supply chain risk for small and medium critical infrastructure entities through collaboration with RMM vendors, MSPs and MSSPs. Educating RMM end-user organizations of the dangers and risks to the RMM infrastructure upon which they rely today, and how to implement best practices moving forward.

A month later, eSentire warned service providers and public sector and private industry to batten down their RMM hatches, as the Russia-linked LockBit gang has been using the technology to spread their malware. In a new blog post, the managed detection and response provider (MDR) urged MSPs, MSSPs, IT consultants and value-added resellers (VARs) to steel themselves for a possible LockBit attack.

Now at the close of the year, a recent Watchguard threat report for Q3 2023 similarly found that threat actors are increasingly turning to remote management tools and software to evade anti-malware detection.

A close look at the WatchGuard study reiterated the role that MSSPs and MSPs play to slow down the hackers.

“It’s important for organizations to provide social engineering education as well as adopt a unified security approach that provides layers of defense, which can be administered effectively by managed service providers,” said Corey Nachreiner, chief security officer at WatchGuard.

Take a closer look at the report and you’ll find WatchGuard’s warning: “Whether it’s remote desktop protocol (RDP), virtual private networks (VPN), remote monitoring and management software, or one of the many screen-sharing apps out there like VNC, TeamViewer, AnyDesk, GoToMyPC and countless more, threat actors have breached many networks via exposed remote access apps and lost, stolen, or cracked credentials. Even if you haven’t exposed a remote access app yourself, many social networking attacks try to trick your users into installing a perfectly legitimate one, but with configurations that give them access.”

How MSPs and MSSPs Can Protect RMM From Threat Actors

What can vendors, service providers and users do to slow down hackers making inroads into their networks through compromising RMM software?

According to WatchGuard, here are a few tips:

  • Do not expose RMM, management interfaces, or any remote desktop app to people on the Internet. Instead, only allow users to access it through VPN to offer additional protection and security. Make sure you only allow VPN with multi-factor authentication (MFA) enabled.
  • Scan for accidental remote access exposure. Even if you do need to expose some remote access (like VPN), you should know all the remote access apps exposes. To verify that is all you’ve exposed, you can use vulnerability assessment or port scanning software to scan your network and identify any open remote access services.
  • Leverage application white- or blacklisting. Even if you decide to allow some remote access products, you should standardize on which tools and only allow those to run. Endpoint protection suites often allow you to blacklist remote access apps you aren’t using, even if they are legitimate.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.