The primary difference between a “trojan” and a “tool” is whether or not your organization still has control over the software, but determining that can be tricky. Once an adversary gets their hands on it, a remote administration tool can become a remote access trojan.
Similar to how we detailed the various exfiltration tools used by adversaries during ransomware extortion, in this post we’ll discuss why it’s important to monitor RMM software in your enterprise, and we’ll offer detailed guidance on how to observe and detect it. In fact, just last week AdvIntel reported on adversaries who-after gaining initial access-had installed an RMM tool called Atera and used it as a functional backdoor in the lead up to a Conti ransomware outbreak. These tools perform reliably, as you may expect with most enterprise software, and allow operators to pivot and transfer data to and from victim machines.Īdversarial abuse of remote monitoring & management (RMM) software is not new, but-given the rash of costly and destructive ransomware attacks in recent months and years-it’s particularly important that security teams develop robust security controls for detecting malicious use of RMM tooling. Red Canary’s Cyber Incident Response Team frequently observes adversaries abusing legitimate remote access utilities for lateral movement and execution of payloads.
0 kommentar(er)
