RMM As A Vulnerability Exploitation Vehicle

RMM as a Vulnerability Exploitation Vehicle - Seceon

103 views

Embed
Email

From

Username or Email (please add comma after each username or email)

Name	Email

Back

Menu 3

Eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo.

Companyseceon

Uploaded on Mar 22, 2024

Category Business

As a cybersecurity services provider organization, it is critically important to ensure that safeguards are always in place for both known and unknown threats. MSPs need to have a “Zero-Trust” approach to the supply chain, as many organizations learned with the SolarWinds attacks and log4j vulnerabilities.Call Us - +1 (978)-923-0040

Category Business

Comments

                     RMM as a Vulnerability Exploitation Vehicle - Seceon
                     RMM as a Vulnerability Exploitation Vehicle
Remote Monitoring and Management (RMM) tools are used by a 
substantial percentage of Managed Service Providers (MSPs) and IT 
infrastructure professionals. 
These tools are known to bring a huge amount of efficiency and 
convenience for the teams, albeit at the expense of the potential 
security risks. With the increase of remote work environments, RMM 
tools took on an even greater role in managing endpoints and the 
applications of their users.
RMM tools have always been an attack vector, and over the years, many 
of the leading dozen or so tools have been the subject of a vulnerability. 
Perhaps, most famously, the Kaseya VSA ransomware attack of July 2021 
caused downtime for over 1,000 organizations. As a result, the 
cybersecurity authorities of the United Kingdom, Australia, Canada, New 
Zealand, and the United States have released a joint Cybersecurity 
Advisory (CSA), to provide guidance on how to protect against malicious 
cyber activity targeting managed service providers (MSPs) and their 
customers. Alert Code AA22-131A 
https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-131a 
 
On January 26th of 2024 CISA, sent out a specific alert for RMM tool-
based risks as Alert Code:AA23-025A 
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a  
and now just about a couple of weeks later this becomes a very popular 
news item. It is important to note that the advisory specifically 
mentioned ConnectWise ScreenConnect. 
“CISA identified a widespread cyber campaign involving the malicious 
use of legitimate RMM software. Specifically, cyber-criminal actors sent 
phishing emails that led to the download of legitimate RMM software—
ScreenConnect (now ConnectWise Control) and AnyDesk—which the 
actors used in a refund scam to steal money from victim bank accounts.”
Furthermore, the advisory indicated clearly that the attack objectives are 
financial, stealing sensitive information as well as state sponsored 
drivers. This should have certainly put all our cyber-defense friends at 
notice, and I am sure many of us kept our watchful eyes open.
Fast forward a couple of weeks to the second week of February, and this 
becomes a real threat with the identified critical vulnerability. The 
administration access credentials will be stolen for a multi-fold increase 
in the attack surface, and that opens the doors to begin a wide variety of 
attacks at scale. 
The attack primarily restarts the installation of the ScreenConnect agent 
with the attacker-specified new administration credentials to gain access 
to the target. The target is then used not only to exploit but to create a 
cascade of attacks from there. 
Certainly, the CVE-2024-1709 was patched quickly by ConnectWise (
https://www.connectwise.com/company/trust/security-bulletins/connec
twise-screenconnect-23.9.8
). However, the industry is in the middle of finding out impacted systems 
and businesses and then assessing the damage in the forms of penalties, 
loss of customers, increased cyber insurance, and monetary loss in real 
terms.
As a cybersecurity services provider organization, it is critically 
important to ensure that safeguards are always in place for both 
known and unknown threats. MSPs need to have a “Zero-Trust” 
approach to the supply chain, as many organizations learned with the 
SolarWinds attacks and log4j vulnerabilities.
Today, it’s important for MSPs to consider protecting not just their 
customers but their own estate using real-time Machine Learning and 
AI-based proactive and comprehensive threat detection.  
Many in the industry have already recognized that this is a cat-and-
mouse game, and we are not talking about if the attack will happen to 
us; instead, our planning and strategy must be how quickly we can 
detect and protect ourselves when the attack happens. 
The industry is learning daily from such attacks and is developing 
better defense mechanisms and strategies using modern tools with 
automation. We at Seceon are actively contributing to such defense 
and welcome any queries to explain our approach and help you 
benefit in your cybersecurity journey. 
Seceon is a ConnectWise Invent Certified Vendor, and we have dozens 
of partners that have built MSP businesses as large as $200M and 
power their cybersecurity services with Seceon. We support the 
community and have sponsored an exhibited ConnectWise events.
In January 2024, Seceon announced a version of the Seceon aiSIEM-
CGuard product for our partner community. Seceon aiSIEM-CGuard 
Not-For-Retail (NFR) license program is essential as governments and 
experts are increasing the pressure on managed service providers to 
protect themselves to avoid threat actors from attacking their clients. 
If you are interested in learning more, please contact us.
Address - 238 Littleton Road Suite #206 Westford, MA 01886
Phone no - +1 (978)-923-0040 
Email Id - [email protected]
Website - https://www.seceon.com/
4/