The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) recently released a Guide to Securing Remote Access Software due to the risks it can pose for cyber attacks. In this blog, we’ll explore why it can be a threat to public safety organizations, particularly in today’s remote work environment, and how to reduce your security risks.
How Do Threat Actors Exploit Remote Access Software?
Remote access software is commonly used across public and private IT networks. It provides a relatively simple and flexible approach for tech support teams to remotely oversee an organization’s networks, computers and other mobile devices. With the increase in remote work in the past few years, it’s become even more popular for supporting employees working from home and other remote users. However, it might not be the first thing you think of when considering security vulnerabilities.
Unfortunately, almost all cyber threat groups we have observed targeting public safety heavily favor the capabilities of remote access software. Without proper monitoring and flags to spot malicious activity, threat actors can use the tools to establish broad network access while going undetected amongst legitimate remote workforce users.
In addition to targeting remote desktop software applications, adversaries heavily attack remote service protocols. Since January 2022, we’ve observed at least 13 different attributed threat actors abusing remote services to gain initial unattended access to public safety environments. Adversaries used tools like Windows Remote Desktop Protocol (RDP) and Server Message Block (SMB) to move across public safety networks, with access to sensitive information and potentially other connected environments.
Why Is Remote Access Software a Top Technique for Threat Actors?
Targeting remote access software and remote services remains prevalent. Along with phishing attacks, it’s one of the top five techniques that adversaries use to gain access to public safety victims. Threat actors target these services because they:
- Are hard to detect. Since remote tools were created for legitimate use, anti-malware or endpoint detection and response (EDR) solutions may not alert security teams when threat actors abuse remote access software in targeted environments.
- Do not require extensive capability development. Threat actors don’t need to use or purchase remote access trojans (RATs), or other custom malware, during attacks. Many remote access software vendors offer free trials, and victims often have existing remote protocols that are unsecured or have internet connectivity.
- May allow bypassing software management control policies. Even if system administrators or security teams put user access controls (UACs) in place, remote access software can act as a self-contained portable executable and let threat actors avoid administrative access restrictions.
- Could allow adversaries to bypass firewall rules. Several remote access applications offer end-to-end encryption. By creating an encrypted outbound or inbound connection, firewalls can’t detect the download of transferred files that would usually be caught in plaintext network traffic.
- Can facilitate multiple cyber intrusions. Managed Service Providers (MSPs) use remote access software to manage and monitor multiple customer environments at the same time. This process is no different for threat actors. They can conduct multiple cyber intrusions from the same graphical user interface (GUI), significantly expanding their operational capabilities and ability to target victim networks at scale.
How Can I Protect Against, Detect and Respond to Attacks Against Remote Access Services?
Network security monitoring solutions can offer support and be crucial in helping you detect and respond to attacks that use remote management services. These solutions can provide defenders with rich network data containing essential information that makes it easier to see if and when remote monitoring and management (RMM) utilities are used maliciously.
Here are several areas to keep in mind when inspecting network data to identify potential threats:
- User-Agents in Web Requests: Many remote administration solutions utilize web requests to facilitate access between the client and server. This web traffic will typically contain a user-agent string specific to that individual software solution with remote access software. Since user-agents are usually included in HTTP headers, you can use signatures to alert when an internal device facilitates a web request containing a user-agent specific to a known remote management service. For example, an intrusion detection signature rule could flag any HTTP request containing the user-agent string “AnyDesk” or “DynGate” used by TeamViewer.
- DNS Requests to RMM Domains: RMM solutions often rely on specific domains for communication and updates. Network monitoring can inspect DNS traffic and identify connections to known domains associated with remote monitoring and management services such as “RemoteUtilities[.]net” or “SplashTop[.]com”. By maintaining a list of these domains, organizations can generate an alert when a request for one of these domains occurs. This can help them validate if the RMM solution is expected in the network or is a potential compromise.
- Transport Layer Security (TLS) Certificate Details: Connections facilitated by these services employ TLS encryption for secure communication. Network monitoring solutions can inspect TLS certificate details, such as the subject and issuer fields, to identify devices with RMM software running. For instance, a TLS certificate that could be captured and inspected by network monitoring might contain “LogMeIn, Inc.” in the subject field. This could indicate that LogMeIn software is being used on a device.
- Known Ports: Remote administration utilities often rely on specific ports for communication. Any connections using these known ports can be traced back to devices attempting to use one of these utilities. For example, TeamViewer typically uses TCP port 5938 for inbound and outbound connections. By using rules to alert or block connections on this port, organizations can prevent potential misuse of these utilities.
- Malicious Domains Resembling Trusted Domains: Threat actors may create malicious domains that mimic the trusted domains used by legitimate remote access software. Network monitoring solutions can employ techniques such as fuzzy hashing or domain similarity algorithms to identify these malicious domains. Organizations can flag any suspicious matches that could indicate potential phishing or malware distribution attempts by comparing known trusted domains with newly observed domains. For instance, if a system is making DNS queries to a domain called “atera-control.com,” but Atera’s official domain is “atera.com,” it could indicate a threat actor has gained remote device access.
Incorporating these investigative techniques with network monitoring enhances an organization’s ability to detect and respond to attacks that are using remote management solutions and services. By continuously monitoring network traffic and analyzing relevant indicators, organizations can proactively identify when these solutions are being abused for unauthorized access.
How Motorola Solutions ActiveEye Managed Detection and Response Service Can Help
The ActiveEye MDR service combines an advanced security platform with an expert security operations center (SOC) team to ensure your cybersecurity team has all the capability it needs to protect against advanced threats around the clock. The service leverages both endpoint detection and response (EDR) as well as network-based intrusion detection system (NIDS) capabilities, to help detect attacks against remote services.
Our ActiveEye MDR services include:
- Access to our co-managed ActiveEye security platform to optimize analysis and detection of threats across endpoints and networks
- Consistent updates to network and endpoint intrusion detection rules to discover new threats, anomalous entity behavior and help identify and manage risks
- Threat Intelligence team to alert you to threats and threat actor trends and guide the adoption of appropriate detection methods
- A 24/7 security operations team to quickly investigate anomalous activity, initiate immediate endpoint response actions to contain threats and augment your internal security team
- Advanced threat research to proactively search for threats as new tactics and IOCs are discovered
- Incident Response team to guide an assessment in the event your network is compromised
The Public Safety Threat Alliance (PSTA) is a public safety-focused information sharing and analysis organization (ISAO) established by Motorola Solutions that is recognized by the Cybersecurity and Infrastructure Security Agency (CISA). The PSTA has issued a Threat Advisory on securing remote access software and will continue to monitor intelligence reporting for credible threats to public safety organizations.
The PSTA provides threat intelligence for member public sector organizations at no cost. Register today for more information.