3 CISA | NSA | FBI | MS-ISAC | INCD
GUIDE TO SECURING REMOTE ACCESS SOFTWARE
MALICIOUS USE OF REMOTE ACCESS SOFTWARE
Remote access software provides IT/OT teams with flexible ways to detect anomalous network or device issues
early on and proactively monitor systems. Cyber threat actors are increasingly co-opting these same tools for easy
and broad access to victim systems. While remote access software is used by organizations for legitimate
purposes, its use is frequently not flagged as malicious by security tools or processes. Malicious actors exploit this
by using remote access software to establish network connections through cloud-hosted infrastructure while
evading detection. This type of intrusion falls into the category of living off the land (LOTL) attacks, where inherently
malicious files, codes, and scripts are unnecessary, and cyber threat actors use tools already present in the
environment to sustain their malicious activity. For additional information and examples of LOTL attacks, see the
joint Cybersecurity Advisory
People's Republic of China
State-Sponsored Cyber Actor Living off the Land to Evade
Detection.
RMM software in particular has significant capabilities to monitor or operate devices and systems as well as attain
heightened permissions, making it an attractive tool for malicious actors to maintain persistence and move
laterally on compromised networks. This enables MSPs or IT help desks to monitor multiple devices and networks
at once, however these same features also make managing multiple intrusions easier for cyber threat actors. In this
way, remote access software has become a common, high-value instrument for cyber threat actors, especially
ransomware groups. Small- and mid-sized businesses rely on MSPs and the use of various types of remote access
software to supplement their own IT, OT, and ICS infrastructures, and scale network environments without having
to develop those capabilities internally. This makes businesses that much more vulnerable to service provider
supply chain compromises, exploitation, or malicious use of remote capabilities.
Remote access software is particularly appealing to threat actors because the software:
• D
oes not always trigger security tools. Remote access software is often used for legitimate purposes, so it
generally blends into the environment and does not trigger antivirus (AV), antimalware, or endpoint
detection and response (EDR) defenses. RMM software is signed with valid code signing certificates issued
by trusted certificate authorities, meaning that it will not appear inherently suspicious to AVs and EDRs.
Often RMM install paths are excluded from EDR inspection.
• Does not require extensive capabilities development. Remote access software enables cyber threat
actors to avoid using or developing custom malware, such as remote access trojans (RATs). The way remote
access products are legitimately used by network administrators is similar to how malicious RATs are used
by threat actors.
[2
]
• May allow actors to bypass software management control policies. While a bypass or exclusion can be
required, remote access software also can be downloaded as self-contained, portable executables that
enable actors to bypass both administrative privilege requirements and software management control
policies.
Note: Portable executables launch within the user’s context without installation. Additionally, because
the use of portable executables often does not require administrator privileges, they can allow
execution of other unapproved software, even if risk management controls may be in place to audit or
block the same software’s installation on the network. Threat actors can leverage a portable
executable with local user rights to attack other vulnerable machines within the local intranet or
establish long-term persistent access as a local user service.
• C
ould allow actors to bypass firewall rules. In addition to bypassing software management controls, many
remote management agents use end-to-end encryption. This could allow a threat actor to download files that
would typically be detected and blocked at the firewall.
• C
an facilitate multiple cyber intrusions. Remote access software enables threat actors to manage multiple
intrusions at once. In addition, initial access brokers may sell network access to many different
cybercriminals, enabling multiple intrusions to the same network, as well as expanding the reach and ability
of these cyber threat actors. If these actors first compromise an MSP, they could gain access to a large