CISA publishes plan for remote monitoring tools after nation-state, ransomware exploitation

A collaboration between the U.S.’s cybersecurity defense agency and private companies published its first plan to address security issues with remote monitoring and management (RMM) tools on Wednesday.

RMM software is typically used by the IT departments of most large organizations around the world as a way to get remote access to a computer to help with software installations or other services needed by employees.

In recent years hackers have increasingly exploited these tools – particularly in government networks – as an easy way to circumvent security systems and establish longstanding access to victim networks. In January, for example, the U.S. Cybersecurity and Infrastructure Agency (CISA) and the National Security Agency said at least two federal civilian agencies were exploited by cybercriminals as part of a refund scam campaign perpetrated through the use of RMM software.

In an announcement Wednesday, CISA said it worked with industry partners as part of the Joint Cyber Defense Collaborative (JCDC) to create a “clear roadmap to advance security and resilience of the RMM ecosystem.”

Eric Goldstein, CISA executive assistant director for cybersecurity, said the organization worked with other U.S. agencies as well as RMM companies to develop a plan focusing on four main tasks: vulnerability information sharing, industry coordination, end-user education and advisory amplification.

“The collaboration established to develop this plan has already achieved several accomplishments for RMM stakeholders and ecosystem,” Goldstein said in a statement. “As the JCDC leads the execution of this plan, we are confident that this public-private collaboration in the RMM ecosystem will further reduce risk to our nation’s critical infrastructure.”

RMM software allows hackers to establish local user access without the need for higher administrative privileges, “effectively bypassing common software controls and risk management assumptions,” CISA and the NSA said in their January announcement.

The agencies warned that threat actors could sell access to an exploited victim to government-backed hacking groups – noting that both cybercriminals and nation-states use RMM software as a backdoor to maintain their access to a system.

Other cybersecurity incidents involving RMM software include the Gandcrab ransomware gang abusing a vulnerability in a Kaseya plugin in February 2019 for the ConnectWise Manage software to deploy ransomware on the networks of managed service providers’ customer networks.

Microsoft said in November 2022 that it saw the Royal ransomware group deliver malware through phishing emails that posed as legitimate installers for AnyDesk.

Additionally, leaked files from the Conti ransomware group showed they also used AnyDesk as one way to maintain persistence and remote access to a victim’s network. According to CISA, both ransomware gangs and nation states are using RMM tools “to compromise large numbers of downstream customer organizations.”

CISA said the plan announced on Wednesday – named the Cyber Defense Plan for Remote Monitoring and Management – will seek to expand the sharing of cyber threat and vulnerability information between the U.S. government and RMM industry stakeholders while also implementing mechanisms for the community to “mature scaled security efforts.”

Government agencies and RMM companies will develop end-user education manuals and guidance to provide more information on best practices to protect the employees that use the products.

CISA also wants more effort to be put into amplifying advisories and alerts within the RMM community to help protect tools that are being exploited by hackers.

Goldstein added that the plan pushed forward the industry collaboration portion of the National Cyber Strategy. CISA spent months working with the cybersecurity industry on the plan – coordinating with vendors, operators, agencies, and other stakeholders.

“As envisioned by Congress and the Cyberspace Solarium Commission, JCDC Cyber Defense Plans are intended to bring together diverse stakeholders across the cybersecurity ecosystem to understand systemic risks and develop shared, actionable solutions,” Goldstein said.

“The RMM Cyber Defense Plan demonstrates the criticality of this work and the importance of both deep partnership and proactive planning in addressing systemic risks facing our country. These planning efforts are dependent on trusted collaboration with our partners, and this Plan was a true partnership with the RMM community, industry and interagency partners that contributed time and effort towards this important work.”