Connect with us

Hi, what are you looking for?



US, Israel Provide Guidance on Securing Remote Access Software

US and Israeli government agencies have published new guidance on preventing malicious exploitation of remote access software.

US and Israeli government agencies have published a new guide to help organizations secure remote access software against malicious attacks.

The new document provides an overview of remote access software, its malicious use, and detection methods, along with recommendations for organizations to prevent abuse.

The Guide to Securing Remote Access Software (PDF) is authored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Israel National Cyber Directorate (INCD). Cybersecurity vendors and tech companies also contributed to the document.

Remote access software, including remote administration and remote monitoring and management (RMM) solutions, allows organizations to remotely monitor networks and devices and helps them maintain and improve information technology (IT), industrial control system (ICS), and operational technology (OT) services.

IT help desks, managed service providers (MSPs), network administrators, and software-as-a-service (SaaS) providers, use such software to gather data on networks and devices, automate maintenance, and perform endpoint configuration, recovery and backup, and patch management.

However, the new guidance points out, the same legitimate benefits of remote access software make it an attractive choice for malicious actors, who adopt these tools to gain easy and broad access to victim networks, as they are not flagged as malicious by security tools.

“Malicious actors exploit this by using remote access software to establish network connections through cloud-hosted infrastructure while evading detection. This type of intrusion falls into the category of living off the land (LOTL) attacks, where inherently malicious files, codes, and scripts are unnecessary, and cyber threat actors use tools already present in the environment to sustain their malicious activity,” the guide reads.

Advertisement. Scroll to continue reading.

Due to its monitoring and control capabilities and heightened permissions, RMM software is an attractive tool for threat actors, especially ransomware groups. Small to medium-sized businesses, which often rely on MSPs’ remote access to manage IT, OT, and ICS infrastructures, are more vulnerable to supply chain compromise and malicious use of remote access software, the authoring agencies note.

Malicious actors, the guide reads, use remote access software to gain access to victim networks, maintain persistence, deploy additional payloads, move laterally, and exfiltrate data. Ransomware operators and advanced persistent threat (APT) actors often use RMM and other remote access software in their attacks.

Intrusions typically begin with the exploitation of vulnerable software or may involve the use of compromised credentials for remote access software, and involve the deployment of RMM on the network or on endpoints to expand control, and even the use of commercial penetration testing tools or remote access malware to ensure persistence.

Tools that may be used maliciously include Anydesk, Atera, Bomgar, ConnectWise Control (formerly ScreenConnect), GoToMyPC, Kaseya, LogMeIn, N-Able, NetSupport, Pulseway, RemotePC, Remote Utilities, Splashtop, TeamViewer, and Zoho Assist.

The guide provides recommendations for network administrators, organizations, MSP and SaaS customers, MSPs and other IT administrators, and for the developers of remote access software on how to improve security and ensure malicious activity is identified and prevented.

Related: Five Eyes Agencies Issue Cybersecurity Guidance for Smart Cities

Related: CISA Publishes New Guidance for Achieving Zero Trust Maturity

Related: CISA, NSA Issue Guidance for IAM Administrators

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Private equity giant plans to buy Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit for $2.5 billion.