US, Israel Provide Guidance on Securing Remote Access Software

US and Israeli government agencies have published a new guide to help organizations secure remote access software against malicious attacks.

The new document provides an overview of remote access software, its malicious use, and detection methods, along with recommendations for organizations to prevent abuse.

The Guide to Securing Remote Access Software (PDF) is authored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Israel National Cyber Directorate (INCD). Cybersecurity vendors and tech companies also contributed to the document.

Remote access software, including remote administration and remote monitoring and management (RMM) solutions, allows organizations to remotely monitor networks and devices and helps them maintain and improve information technology (IT), industrial control system (ICS), and operational technology (OT) services.

IT help desks, managed service providers (MSPs), network administrators, and software-as-a-service (SaaS) providers, use such software to gather data on networks and devices, automate maintenance, and perform endpoint configuration, recovery and backup, and patch management.

However, the new guidance points out, the same legitimate benefits of remote access software make it an attractive choice for malicious actors, who adopt these tools to gain easy and broad access to victim networks, as they are not flagged as malicious by security tools.

“Malicious actors exploit this by using remote access software to establish network connections through cloud-hosted infrastructure while evading detection. This type of intrusion falls into the category of living off the land (LOTL) attacks, where inherently malicious files, codes, and scripts are unnecessary, and cyber threat actors use tools already present in the environment to sustain their malicious activity,” the guide reads.

Due to its monitoring and control capabilities and heightened permissions, RMM software is an attractive tool for threat actors, especially ransomware groups. Small to medium-sized businesses, which often rely on MSPs’ remote access to manage IT, OT, and ICS infrastructures, are more vulnerable to supply chain compromise and malicious use of remote access software, the authoring agencies note.

Malicious actors, the guide reads, use remote access software to gain access to victim networks, maintain persistence, deploy additional payloads, move laterally, and exfiltrate data. Ransomware operators and advanced persistent threat (APT) actors often use RMM and other remote access software in their attacks.

Intrusions typically begin with the exploitation of vulnerable software or may involve the use of compromised credentials for remote access software, and involve the deployment of RMM on the network or on endpoints to expand control, and even the use of commercial penetration testing tools or remote access malware to ensure persistence.

Tools that may be used maliciously include Anydesk, Atera, Bomgar, ConnectWise Control (formerly ScreenConnect), GoToMyPC, Kaseya, LogMeIn, N-Able, NetSupport, Pulseway, RemotePC, Remote Utilities, Splashtop, TeamViewer, and Zoho Assist.

The guide provides recommendations for network administrators, organizations, MSP and SaaS customers, MSPs and other IT administrators, and for the developers of remote access software on how to improve security and ensure malicious activity is identified and prevented.

Related: Five Eyes Agencies Issue Cybersecurity Guidance for Smart Cities

Related: CISA Publishes New Guidance for Achieving Zero Trust Maturity

Related: CISA, NSA Issue Guidance for IAM Administrators