Threat actors are using legitimate Remote Monitoring and Management (RMM) tools more and more to get into corporate networks and stay there for a long time This article explores threat tools. . Security researchers say that hackers are using these trusted administrative tools to mix bad actions with normal IT management tasks.

This lets them get around many traditional security measures. Surge in RMM Tool Abuse Security researchers from Huntress recently found that threat intelligence shows a dramatic rise in attacks involving RMM software. According to security analysts, the number of times people have abused remote management tools has gone up by about 277% in the past year. This accounts for almost a quarter of all cybersecurity incidents.

Attackers are not using regular malware anymore; instead, they are building their entire operational playbooks around trusted system administration tools.

Using real software that is often found in businesses, attackers can get around endpoint detection systems that usually flag unknown executables or suspicious binaries. One way that hackers are getting better is by "daisy-chaining" several remote access tools together during an attack. In these attacks, one administrative platform is used to set up another remote control tool, which breaks up security telemetry and makes it harder to find.

For instance, threat actors have been seen using vulnerability management software like Action1 to silently install secondary remote access clients like ScreenConnect using Microsoft Installer (MSI) packages. These deployment packages look real because they are signed by a trusted source. This makes it easy for them to get around many security measures. Researchers also say that less skilled attackers are using Large Language Models (LLMs) more and more to make scripts for these kinds of attacks.

These scripts automate tasks like stealing credentials and gathering data from browsers, such as trying to read browsing histories for cryptocurrency wallets or financial platform logins. But a lot of these AI-generated scripts still have technical problems. In some cases that were seen, the scripts didn't work properly to send stolen data back to the attackers.

Instead, the stolen data was left on the compromised systems. Social engineering is still the main way that these remote access tools get to people. Attackers use carefully planned phishing campaigns to trick victims into running legitimate-looking software that contains malware. Some common lures are: Pretending to be government agencies like the Social Security Administration during tax season.

Fake event invitations or meeting requests that have harmful installer files in them.

Phishing pages that look like fake online greeting cards and are made for mobile devices to steal credentials. How to Protect Yourself from Bad RMM Deployments Experts in security say that companies should see any unauthorized remote management installation as a serious security threat. Because these tools are legitimate software, traditional signature-based defenses may fail to detect them.

Suggested ways to protect yourself are: Set strict rules for who can use approved administrative software. Monitor and investigate software installations originating from user-writable directories. Focus on behavioral detection, such as suspicious parent-child process relationships. Audit trial-based usage of administrative tools and demand stronger telemetry from vendors.

By improving visibility into remote management software usage and monitoring behavioral anomalies, organizations can significantly reduce the risk posed by this rapidly growing initial access technique.