CISA Warns Businesses To Exercise Caution Using RMM Links

In late January 2023, the Cybersecurity & Infrastructure Security Agency (CISA), National Security Agency (NSA) and Multi-State Information Sharing and Analysis Center (MS-ISAC) together issued cybersecurity Alert AA23-025A. The bulletin warns organizations to use caution when enabling and accepting remote management and monitoring (RMM) tool connections.

The alert confirms cybercriminals are using legitimate remote monitoring and management (RMM) applications—including ScreenConnect (now ConnectWise Control) and AnyDesk—to steal money from victims. The scams begin with phishing messages that present corresponding RMM links within a seemingly normal context. However, the RMM links connect victims to the perpetrators’ own systems.

The potential dangers don’t stop there, though. The agencies warn that the malicious actors could then use these RMM connections to further and more effectively attack victim organizations.

Specifically, the risks involve malicious actors leveraging legitimate RMM utilities’ executable files to penetrate a victim’s network and gain local user access to the victim’s systems while bypassing requirements for administrative rights and the need to install another app that might otherwise raise questions or alarm. The approach proves particularly dangerous due to its ability to potentially circumvent standard software controls, cyber protections and defense strategies.

The CISA alert includes additional details regarding the specifics of observed attacks, including indicators of compromise (IOC) and a sample phishing message. The cybercriminals, CISA notes, employ domain names that assist their RMM-scam social engineering efforts. For example, the malicious actors have used RMM-linked domain names that might appear legitimate, such as nhelpcare.cc or nhelpcare.info, and that mimic similar portals maintained by Geek Squad and Norton.

To help prevent RMM attacks from succeeding, the alert encourages organizations to take all the following steps:

  • Filter email to block phishing messages
  • Monitor remote access tool usage
  • Review system logs for RMM activity to detect anomalies
  • Configure security solutions to specifically detect instances of RMM software being loaded in memory
  • Implement application controls to manage and control app execution
  • Configure application controls to prevent both installation and execution of unauthorized RMM software portable files
  • Limit authorized RMM solutions to only operate from within the network using only approved secure remote access technologies (such as a trusted VPN)
  • Close common inbound and outbound RMM port connections on the network’s edge
  • Employ user training to warn against phishing risks and the need to avoid clicking on unexpected links and attachments

ConnectWise, which issued a warning and subsequent patch in late 2022, has recommended organizations take several precautions to help ensure its ConnectWise Control application is wielded properly. The company’s warnings include downloading the RMM program only from trusted resources, resisting fear tactics pressuring one into making quick decisions and being suspicious of unexpected calls and pop-up messages requesting the user contact a provided number for technical support.

AnyDesk, another RMM tool specifically mentioned with Alert AA23-025A, also maintains guidance to assist organizations and their users in avoiding fraudulent use of RMM solutions. Like ConnectWise, AnyDesk recommends users never give unknown contacts access to their systems, distrust unexpected calls and refuse suspicious or unexpected requests (especially instructions to login to a bank account or divulge passwords while remotely connected to the user’s computer). AnyDesk also published a video tutorial to assist users in spotting RMM scams.

Still Have Questions Regarding RMM Security?

If you have concerns your organization’s RMM utilities could have been compromised, or if you’re unsure how to properly secure a remote management solution, call Louisville Geek at 502-897-7577 or email [email protected]. Our technicians can assist.