In late January 2024, the ThreatDown Managed Detection and Response (MDR) team found and stopped a three-month long malware campaign against a Managed Service Provider (MSP) based in Europe. In line with our observations of attackers increasingly relying on legitimate software in their attacks, the attacker employed various Living Off the Land (LOTL) techniques to avoid detection.

MSPs are a prime target of cyberattacks for two main reasons. One, they provide services to multiple clients, giving attackers access to a broader network of targets through a single breach. Two, MSPs often operate on tight security budgets, making them more vulnerable to attacks.

Almost immediately after onboarding the MSP in mid-January, the ThreatDown MDR team found extensive evidence of an ongoing malware campaign. The attackers, who targeted the MSP’s network from October 2023 to January 2024, silently monitored and manipulated the network for months, leveraging legitimate remote access tools like AnyDesk and TeamViewer and attempting to install malware like Remcos RAT and AsyncRAT.

Let’s dive into the details of this incident and how ThreatDown MDR neutralized the threat.

Initial discovery and evidence of compromise

In late October 2023, ThreatDown Endpoint Detection and Response (EDR) flagged multiple suspicious outbound connections on the MSP’s network. These were attempts to communicate with known malicious external sites and IPs, involving several endpoints within the network.

This activity was immediately blocked by ThreatDown, marking the first documented evidence of a security breach. The nature of these attempts—targeting sites associated with RDP-based attacks and other malicious activities—indicated a possible compromise.

List of malicious sites automatically blocked by ThreatDown MDR.

Expanding presence and evasion

Following the initial detections in October, the attacker quietly expanded their presence within the network. On December 8th, network scanning activity was detected from an endpoint, indicative of the attacker’s efforts to map out the network for further exploitation. This activity went beyond mere exploration, suggesting a systematic approach to identify additional targets or vulnerabilities within the MSP’s digital environment.

Escalation and discovery of malware

The situation escalated in January 2024 with the discovery of malware on several endpoints, linked to unauthorized remote access tools like ScreenConnect and AnyDesk.

This pointed towards a more aggressive phase of the attack, with the attackers deploying malware to maintain and expand their access. An attempt to uninstall McAfee via PowerShell, observed on an endpoint, further underscored the attackers’ intentions to weaken the network’s defenses.

Detection of malware leveraging RMM tools.

Ongoing surveillance and response

The implementation of ThreatDown MDR services on January 18th, 2024, was a strategic move by the MSP to gain deeper insights into the attackers’ movements. By this time, the attackers had already established a significant presence within the network, as evidenced by the attempted communications with a known AsyncRAT botnet C2 server and the discovery of additional remote management and monitoring (RMM) tools on the network.

Connections to AsyncRAT were detected and automatically blocked by ThreatDown MDR

Fortunately, the ThreatDown MDR team caught the attack in action and made several immediate recommendations for the MSP, including:

• Isolating the compromised endpoints to halt the infection spread and re-imaging them for a clean slate.
• Changing all administrative and local passwords three times to fortify security.
• Restoring all infected endpoints from secure backups, eliminating the use of local administrator accounts, and implementing application and DNS filtering to control software usage and web access.

Threat hunting with ThreatDown MDR

How ThreatDown MDR works

MSPs continue to be a prime target in cyber attacks—and as we’ve seen in this case study, attackers are in it for the long-haul, able to remain undetected for several months after compromising a network.

The attacker’s use of legitimate tools such as TeamViewer, ScreenConnect, and PowerShell, in their months-long attack on the MSP underscores a key theme we’ve been writing about on the blog recently: attackers are increasingly relying on LOTL techniques in their attacks to avoid detection.

In this example, if the attack had been allowed to continue, the MSP could have suffered a ransomware attack, data breach, or both. Fortunately, however, by hunting down LOTL techniques for the MSP based on suspicious activity and past indicators of compromise (IOCs), the ThreatDown MDR team successfully stopped the threat.

Protecting your MSP from stealthy LOTL threats takes an elite team of security professionals scouring your systems 24×7 for IOCs and suspicious activity observed on endpoints. Learn more about ThreatDown today.

One of the most alarming trends our ThreatDown Intelligence team has noticed lately is the increased exploitation of legitimate Remote Monitoring and Management (RMM) tools by ransomware gangs in their attacks.

RMM software, such as AnyDesk, Atera, and Splashtop, are essential for IT administrators to remotely access and manage devices within their networks. Unfortunately, ransomware gangs can also exploit these tools to penetrate company networks and exfiltrate data, effectively allowing them to “live off the land”.

In this post, we will delve into how ransomware gangs use RMM tools, identify the most exploited RMM tools, and discuss how to detect and prevent suspicious RMM tool activity using Application Block and Endpoint Detection and Response (EDR).

How ransomware gangs utilize RMM tools

Ransomware gangs exploit Remote Monitoring and Management (RMM) tools through one of three main strategies:

1. Gaining initial access via preexisting RMM tools: As RMM tools typically require credentials for system access, attackers can exploit weak or default RMM credentials and vulnerabilities to gain unauthorized access to a network.
2. Installing RMM tools post-infection: Once inside a network, ransomware attackers can install their own RMM tools to maintain access and control, setting the stage for a ransomware attack. For example, the ThreatDown Intelligence team noted a case where ransomware attackers exploited an unpatched VMWare Horizon server to install Atera.
3. Hybrid approach: Attackers can use a slew of different social engineering scams, such as technical support scams or malvertising, to trick employees into installing RMM tools onto their own machines, enabling both initial access and a mechanism for ransomware deployment. The Barclays banking scam we wrote about in February 2024 is an example of this approach.

Top RMM tools exploited by ransomware gangs

The following RMM tools are commonly used by both ransomware gangs to oversee and control IT infrastructure remotely.

• Splashtop: A remote access and support solution tailored for businesses, MSPs, and educational institutions. Exploited by the ransomware gangs CACTUS, BianLian, ALPHV, Lockbit.
• Atera: An integrated RMM tool for MSPs that offers remote access, monitoring, and management. Exploited by Royal, BianLian, ALPHV.
• TeamViewer: A software for remote access and support. Exploited by BianLian.
• ConnectWise: A suite that includes solutions for remote support, management, and monitoring. Exploited by Medusa.
• LogMeIn: Provides secure remote access to computers from any location for IT management and support. Exploited by Royal.
• SuperOps: An MSP platform that combines RMM, PSA, and other IT management features. Exploited by CACTUS.

The top ten ransomware gangs in 2023 by number of attacks. Nearly each one has included RMM tools in their attacks.

Preventing RMM ransomware attacks with Application Block and EDR

To prevent ransomware gangs from misusing RMM tools, businesses can adopt two strategies: blocking unnecessary RMM tools using application blocking software and utilizing EDR to detect suspicious RMM tool activity.

For instance, by employing applications like ThreatDown’s Application Block, businesses can prevent the use of non-essential RMM applications.

For necessary tools, such as AnyDesk, the EDR/MDR layers within ThreatDown Bundles can offer an additional layer of protection in case of an infection.

Consider a real example where ransomware attackers used AnyDesk to establish a Command and Control (C&C) server. In one case, a threat actor infiltrated a customers environment by exploiting an unpatched server with open ports exposed to the internet. AnyDesk was installed by the threat actor afterward, as indicated in the EDR alert below. Such activity is typical of what our Threat Intel teams observe just before the widespread encryption carried out in ransomware attacks.

EDR detecting malicious RMM tool usage, with relevant MITRE techniques

After investigating the alert, however, a customer can quickly isolate the affected endpoint to prevent encryption. Alternatively, the ThreatDown MDR service can identify the alert and offer guidance on remediation.

Stop ransomware RMM attacks today

Much like other Living Off the Land tools designed to facilitate IT administration, RMM tools are now double-edged swords.

Whether using RMM tools for initial access, post-infection ransomware deployment, or a combination of the two, ransomware attackers are upping the sophistication of their attacks. However, with ThreatDown, organizations can effectively curtail the abuse of RMM tools through technologies like Application Block and EDR.

Discover the difference with ThreatDown Bundles and elevate your organization’s defense against cyber threats. Get in touch for a free trial and experience the benefits of a simplified, yet robust, security framework.