Between November 04-11, 2024, Blackpoint’s Security Operations Center (SOC) responded to 563 total incidents across on-premises, Microsoft 365, and Google Workspace protected environments. Throughout Q4 2024, Blackpoint’s SOC has responded to alerts that have been related to multiple remote monitoring and management (RMM) tools.
In this blog, we’ll dive into these observations, why they matter for our partners, and possible mitigations using your existing tech stack alongside Blackpoint Cyber’s managed services.
Inside Remote Monitoring and Management (RMM) Tools
Topline Takeaways
- Industry target: Various
- Blackpoint SOC actions:
- Isolated impacted devices
- Contacted partner
- Deployed Managed Application Control (MAC) in block mode
- Recommended mitigations:
- Provide a dedicated software center.
- Implement application controls.
- Regularly audit both environment and endpoints.
- Employ least-privilege access controls.
- Create an incident response plan.
Incident Timelines
Since October 01, 2024, Blackpoint’s SOC has consistently responded to incidents of threat actors attempting to deploy RMM tools, including AnyDesk, ScreenConnect, Splashtop, TeamViewer, and Zoho Assist. Blackpoint’s SOC was able to successfully remove these tools and persistence mechanisms, deploy Managed Application Control (MAC) to help identify and block unauthorized applications, and work alongside partners to mitigate malicious activities.
AnyDesk
In late October 2024, Blackpoint’s MDR technology alerted to the manual installation of AnyDesk on the workstation of an Industrials partner. As AnyDesk was not an observed RMM tool used within the partner’s environment, Blackpoint’s SOC isolated the workstation and reached out to the customer to provide details and mitigation advice.
In late November 2024, Blackpoint’s MDR technology alerted to suspicious PowerShell executions from the host of an Industrials partner. Upon initial investigation, Blackpoint’s SOC identified a command prompt to spawn PowerShell to call out to a Netherlands IP address and grab a payload that turned out to be AnyDesk. Based on the observed actions, which included the creation of a new user and attempts to modify registry keys, it is likely that this incident was a result of abuse of the Foundation Software. Blackpoint’s SOC isolated impacted devices and provided the customer with details.
In early December 2024, Blackpoint’s MDR technology alerted to an RDP connection from a host of an Industrials partner. Initial investigations revealed that the threat actor attempted to install multiple RMM tools including AnyDesk and Splashtop. Further investigation identified the threat actor had attempted to use a tool that is often abused to copy sensitive data from victim’s devices. Blackpoint’s SOC took immediate action by isolating devices and contacting the partner.
ScreenConnect
In early October 2024, Blackpoint’s SOC received multiple MAC alerts for a device with a financials partner. The impacted user account was attempting to execute and establish connections with ScreenConnect instances, likely in an attempt to gain persistent access to the device. Connections were blocked by Blackpoint’s MAC product and the Blackpoint’s SOC team contacted the partner. Blackpoint’s SOC initiated a threat hunt of the partner’s environment and found that the impacted user account had attempted to utilize curl.exe to pull WinPEAS (Windows Privilege Escalation Awesome Scripts) from a GitHub repository. Additional analysis identified a potential payload staged. Blackpoint’s SOC immediately isolated additional devices and reached out to the partner to provide details and mitigation advice.
In mid-November 2024, Blackpoint’s MDR technology alerted to a user account with a healthcare partner spawning a ScreenConnect session to deploy a potential payload. The location of the ScreenConnect was observed in a Temp folder and was observed outbound connections to Netherlands and Moldova with two different ScreenConnect sessions. Additional investigation revealed that in addition to ScreenConnect, the device had Splashtop and NinjaRMM installed. Blackpoint’s SOC isolated the impacted device and contacted the partner to provide details.
TeamViewer
In early November 2024, Blackpoint’s MAC product blocked an attempt to run TeamViewer on a device of a government partner. Blackpoint’s MDR technology also alerted to an RDP login on a device of this partner. Initial investigation identified the threat actor was attempting enumeration activity via the Windows tool net.exe to query local administrator group and user information. Blackpoint’s SOC isolated the impacted devices to prevent potential unauthorized activity and contacted the partner.
Zoho Assist
In mid-October 2024, Blackpoint’s MDR technology alerted to the execution of Zoho Assist on a device of an industrials partner. Initial investigation determined that the Zoho Assist instance was downloaded on the same day via Chrome and observed network callouts. Blackpoint’s SOC immediately isolated the impacted device, cutting off any potential connections and preventing further malicious activity.
What You Should Know About RMM Tools
RMM tools are software programs that are designed to allow IT staff to remotely monitor and manage their company’s IT infrastructure. These tools are often used to troubleshoot problems, apply patches, collect data that can be used to generate reports, and automate routine tasks.
RMM tools are often an attractive option for threat actors for the same reasons they are a vital and convenient tool for IT teams, such as persistent access to remote devices. By using legitimate tools threat actors are not required to maintain the resources or skills to develop and maintain their own variants, have a better chance of blending in with legitimate network activity, and can enable file sharing which allows threat actors to easily execution additional tools or malware.
APG Threat Analysis for RMM Tools
Blackpoint’s Adversary Pursuit Group (APG) has tracked 26 ransomware operations and 7 advanced persistent threat (APT) groups that have been reported to abuse RMM tools during publicly reported incidents. APG predicts the continued use of RMM software for malicious activity over the next 12 months.
This assessment is supported by Blackpoint’s SOC observed incidents and external reporting detailing the use of RMM tools to conduct malicious activities.
Recommended Mitigations
- Dedicated Software Center: Ensure employees only download software from monitored, approved sources.
- Implement Managed Application Control (MAC) for continuous monitoring and blocking of unapproved software.
- Regularly audit both environment and endpoints to identify potential rogue applications and potential old/unused accounts that should be removed.
- Employ least-privilege access controls to ensure that users only have access to the data and resources required to complete their job functions.
- Incident Response Plan: Ensure proper IRPs are in place in the event of an incident to ensure business continuity.
Conclusion
These incidents underscore the evolving tactics of threat actors and highlight the importance of layered defenses. By leveraging Blackpoint’s MDR technology and following these mitigation strategies, you can bolster your organization’s defenses against these types of attacks. Reach out to Blackpoint’s SOC team for tailored recommendations on how to enhance your cybersecurity posture.