Bad actors are increasingly using a tool popular among MSSPs and MSPs as an initial payload in phishing and other email cyberthreat campaigns for such actions as data collection, financial theft, lateral movement through compromised networks, and installing malware like ransomware.
In 2024, researchers with
Proofpoint saw a marked expansion of the use of remote monitoring and management (RMM) software delivered via email as the first step in attacks, a trend that dovetails with the decline in the use of other tools, such as loaders and botnet malware, which had been commonly used by initial access brokers (IABs), which get access into systems or networks and then sell that access to other threat actors.
At the same time, cybercriminals are expanding the RMM solutions they are using in their attacks. NetSupport typically had been the most frequently used RMM tool in email campaigns, but its use declined last year as other RMM software, including ScreenConnect, FleetDeck, and Atera, rose in popularity, a trend that is continuing this year.
RMM as Part of the Repertoire
Bad actors have historically used RMM solutions as part of attack chains but not typically as the first shot.
“The use of RMMs as a first-stage payload delivered directly via email was not as common as other malware delivery in Proofpoint campaign data prior to 2024, with most of such campaigns since 2022 delivering NetSupport,” Proofpoint threat researchers Selena Larson and Ole Villadsen
wrote in a recent report. “However, the presence of RMMs in campaign data began increasing in mid-2024, with ScreenConnect in particular appearing much more frequently.”
According to numbers collected by the Sunnyvale, California-based cybersecurity vendor, the number of campaigns in January 2023 that used RMM software as a first-stage payload was fewer than 10. In November and December last year, more than 60 such campaigns were seen each month.
In MSSPs' Toolset
RMM software is an essential tool for MSSPs, MSPs, and other organizations that need to remotely look after the IT environments of other companies or business units. For security service providers, it allows them to deploy patches, ensure endpoints' security, troubleshoot clients, and perform other tasks without being physically present.
Given the software's access to other organizations, MSSPs have become targets of hackers who see the compromise of one security service provider as a gateway into the networks of multiple customers.
CrowdStrike researchers, in a report last year, found a
70% increase in the use of RMM tools in cyberattacks, noting that threat groups like Chef Spider and Static Kitten were leveraging software like ConnectWise’s ScreenConnect to exploit endpoints.
“RMM is a huge risk,” Kevin McGrail, cloud fellow and principal evangelist with
Google Cloud security partner
DitoWeb, told MSSP Alert. “It's effectively a back door for trusted partners, and as an MSP [or] MSSP, you must treat it like you have the keys to the castle.”
Operation Endgame
The rise in the use of RMM tools in email campaigns coincides with the sharp decline or disappearance of IABs like TA577, TA571, and TA544 in such attacks, Proofpoint’s Larson and Villadsen wrote. As an example, campaigns involving TA577 – active since mid-2020 – have led to the deployment of Black Basta ransomware, with recent Black Basta incidents indicating that initial access was made through social engineering attacks on social media using Microsoft Teams.
The researchers link the growing use of RMM for initial access and the decline of IAB activity in email campaigns to Operation Endgame, a multinational law enforcement effort in May 2024 that included the United States, Denmark, France, and other European countries that took down infrastructure used to support such malware families as Pikabot, Smokeloader,
Bumblebee, and Trickbot.
“With limited access to these major malware families, IAB threat actors could not conduct their typical email-based attacks,” Larson and Villadsen wrote, noting a report by blockchain intelligence firm
Chainalysis that showed a
35% decline in ransomware payments in the second half of 2024.
Account Takeover, Credential Theft, and More
Among the threat groups that have adopted RMM for first-stage use cases is TA583, a highly active unit that runs multiple campaigns a day, most of them using RMM and, most of the time, RMM being ScreenConnect. TA583 targets compromised systems for myriad reasons, including account takeover (ATO), credential theft, data exfiltration, and maybe brokering initial access for other threat actors.
TA2725 uses Brazilian banking malware, such as Mispadu, Astaroth, and Grandoreiro, and credential phishing in attacks in Brazil, Mexico, and Spain. In January, the group was detected using ScreenConnect.
Hardening the RMM
The ongoing interest by threat actors in exploiting RMM tools means that MSSPs and MSPs need to choose those solutions carefully, DitoWeb’s McGrail said. It needs to support multifactor authentication and prompt for MFA before anyone can do anything with a machine. There also are other practices to include, including screens that lock at a maximum of a minute, he said.
“Email security just isn't sexy anymore, but it leads to 60% to 90% of your compromises, depending on whose numbers you are reading,” he said. “Having better email security and phishing prevention training is important.”
