DEFENSESTORM BLOG

Remote Access Tools: Friend or Foe?

Wednesday, November 13th, 2024

VIEW ALL INSIGHTS

Cyber security risk management solutions from DefenseStorm.

With the remote workforce not showing any signs of slowing down, many organizations are starting to evaluate and implement ways to access these systems through the usage of Remote Access Tools. While these tools provide an incredible amount of value to an organization to stay connected and retain access, Remote Access Tools are a significant attack vector in cybersecurity and are something that should not be taken lightly.

With the remote workforce not showing any signs of slowing down, many organizations are starting to evaluate and implement ways to access these systems through the usage of Remote Access Tools. Whether used by an IT help desk technician to fix a user’s remote system or by co-workers for collaboration on a project, these tools play an essential role in most organizations’ day to day operation. While these tools provide an incredible amount of value to an organization to stay connected and retain access, Remote Access Tools are a significant attack vector in cybersecurity and are something that should not be taken lightly. Here are a couple of points to consider:

  1. Common Entry Point: Misuse of remote access tools, such as Remote Desktop Protocol (RDP), is one of the most common initial attack vectors. Year after year, Remote Access Tools continue to rank as one of the most common initial attack vectors across the globe.
  2. Ransomware Attacks: Remote access tools are frequently exploited in ransomware attacks. Attackers often target these tools to gain initial access to networks. Whether it be accidentally leaving RDP open or using insecure credentials for existing tool, bad actors are constantly trying to gain access using these methods.
  3. Living-off-the-Land Techniques: Cybercriminals increasingly use legitimate remote access tools to evade detection. This tactic, known as “living off the land,” involves using existing software and tools within the network to carry out attacks.
  4. Phishing and Social Engineering: Remote access tools can be exploited through phishing and social engineering attacks. Attackers trick users into downloading malicious versions of these tools, granting them unauthorized access.
    • One of the most common versions of this attack is something known as Scareware. Scareware is a type of malicious software designed to trick users into believing their computer is infected with a virus or other security threat. Scareware often appears as pop-up ads or alerts that mimic legitimate security warnings. These alerts claim that your computer is infected and urge you to take immediate action by calling the number on the screen. Once you are connected to an agent, they will inform you that they need to set-up a remote screensharing session to “fix” your PC leading you to downloading their preferred tool. Once you provide them the initial access, they will be able to download additional tools/malware or simply retain access for a future date well after they have “resolved” the end user’s problem.

Given these risks, it is crucial to implement strong security measures, such as multi-factor authentication, regular monitoring, and strict access controls, to protect against unauthorized use of remote access tools.

One may ask, how can I help protect my network against these tools? From our perspective, one of the biggest recommendations would be to simply pick one approved remote management tool and block access to all other solutions.

Adopting one, or at most two, approved remote management solutions will allow the organization to thoroughly test and deploy in the most secure possible configuration. Once these solutions are fully tested and deployed, the next phase is to block access to all other solutions.

Blocking, how should we do it? While there is no perfect way to prevent attacks using these tools, here are a couple of options to consider:

  • DNS Filtering
    • One of the best ways to combat the usage of Remote Access tools is to set up DNS Filtering rules that block access to domains associated with the various remote access tools. While the names, Ips and hashes may change for the tools, the domains they contact will typically remain the same.
  • EDR Blocking
    • Many EDR solutions will allow you to create custom blocking rules that can be used to target specific applications. Our recommendation would be to block access to as many remote applications as possible and only allow the one or two authorized by your organization. Our recommendation would be to favor blocking by both the application name and the file hash where it is appropriate.
    • While not all inclusive, here are a handful of remote access tools that have been commonly utilized by bad actors:
      • AnyDesk: Often used for remote support, but also exploited in phishing campaigns and other malicious activities.
      • TeamViewer: A popular tool for remote desktop access, frequently targeted by attackers to gain unauthorized access.
      • ConnectWise Control (formerly ScreenConnect): Used for remote monitoring and management but has been involved in various cyber-attacks.
      • LogMeIn: Another widely used remote access tool that has been abused for unauthorized access and data exfiltration.
      • Ammyy Admin: Often used in tech support scams and other fraudulent activities.

If possible, we recommend also trying to integrate these solutions with other organizational technology such as Active Directory or multi-factor authentication (MFA). This will serve as an additional layer of protection and verification for the Remote Access Tools that are authorized. If you are unable to set up MFA for these solutions, we strongly encourage setting up log-forwarding for these applications to help monitor for any potentially suspicious authentications.

DefenseStorm Recommendations 

Continuous research is being conducted for all newly discovered or recurring malware and ransomware. As always, DefenseStorm recommends the following practices to help secure your environment:

  • Continued internal training for phishing campaigns
  • Block threat indicators at their respective controls
  • Keep all systems and software updated to the latest patched versions to best protect against all known security vulnerabilities
  • Maintain a strong password policy
  • Enable multi-factor authentication
  • Regularly back up data, air gap, and password backup copies offline
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location
  • Use app hardening
  • Restrict administrative access

 

 

Ian Gibson

Cyber Threat Intelligence Engineer

Ian Gibson is a Cyber Threat Intelligence Engineer for DefenseStorm. He joined the company in 2019 after graduating with a bachelor’s in Information Technology from the University of North Carolina: Wilmington. During his time at UNCW, he completed a specialized curriculum path in Cyber Defense Education. Joining DefenseStorm first as an intern, Ian worked in many positions throughout the company, which allowed him to become an expert in several areas of the platform. During his cyber career, Ian has been instrumental in proactively detecting and responding to cyber incidents, developing new policies and analytics to improve the detection and prevention of potential attacks, and training customers to better utilize DefenseStorm’s services. Ian has completed all tracks of the MITRE ATT&CK® Defender certifications, which helped him gain a better understanding of how to apply the knowledge of adversary behaviors to improve security configurations, analytics, and decision-making when it comes to best protecting DefenseStorm clients. Ian also holds a GIAC Cyber Threat Intelligence (GCTI) certification.