icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

Threat Hunting Case Study: RMM Software

Summary:
Security firm Intel471 notes an increasing trend in threat actors leveraging remote monitoring and management (RMM) applications to gain initial access and move laterally across organizational networks. RMM software, such as AnyDesk, Atera, and TeamViewer, is typically used by IT administrators for tasks like system updates, software deployment, and endpoint troubleshooting, especially in environments where physical access to machines is impossible. However, these same tools are being misused by attackers to gain unauthorized access, install malware, disable security features, and escalate privileges. Since RMM tools are widely used and integrated into IT workflows, detecting malicious activities is challenging, as these applications are unlikely to be flagged by endpoint security solutions.

Security Officer Comments:
Attackers often gain access by compromising RMM user credentials through social engineering or exploiting vulnerabilities in outdated software. Once inside, they can create new accounts, map networks, move laterally within systems, exfiltrate sensitive data, deploy ransomware, and even launch attacks on downstream clients. To maintain persistence and further their malicious goals, researchers note that attackers may install additional Remote Access Trojans to ensure long-term control or facilitate backup connections to external servers.

Ransomware groups, in particular, have frequently abused RRM software to carry out their malicious activities. In one campaign tracked by Intel47, the Black Basta group targeted an employee with a spam attack that overwhelmed their inbox. Subsequently, the attacker impersonated an IT support member from the victim’s organization, offering to install antispam software. To facilitate this, the victim was tricked into installing remote access tools such as AnyDesk, Quick Assist, or TeamViewer. Once the software was installed, the attacker enlisted a Black Basta penetration tester, who then gained access to the system and attempted to install additional malware or legitimate RMM software to maintain persistent access.

Suggested Corrections:
In general, organizations should regularly update RMM software to address known vulnerabilities, enable multi-factor authentication, and implement strict access controls to ensure that only authorized IT staff or personnel have access to RMM tools. According to Intel47, a common tactic employed by adversaries is to place the RMM executable in unusual locations, rather than standard ones like AppData or Downloads. For example, detecting AnyDesk executing from an uncommon directory, such as the public music folder, can indicate potential malicious use. Additionally, since tools like AnyDesk typically require a network connection, investigators can track where it is connecting to. If the tool is being used for malicious purposes, such as delivering subsequent payloads, these new processes should be monitored for further investigation.

Link(s):
https://intel471.com/blog/threat-hunting-case-study-rmm-software

Contact Us for Threat Assistance
Back to Current Threats