Security News > 2023 > January > CISA: Federal agencies hacked using legitimate remote desktop tools
CISA, the NSA, and MS-ISAC warned today in a joint advisory that attackers are increasingly using legitimate remote monitoring and management software for malicious purposes.
More worryingly, CISA discovered malicious activity within the networks of multiple federal civilian executive branch agencies using the EINSTEIN intrusion detection system after the release of a Silent Push report in mid-October 2022.
The use of portable remote desktop software executables allows malicious actors to gain access to the targets' systems as a local user without requiring admin permissions or a complete software installation, thus bypassing software controls and challenging common risk management assumptions.
CISA encourages network defenders to review the advisory for indicators of compromise, best practices, and recommended mitigations, which highlights the threat of additional types of malicious activity using RMM, including its use as a backdoor for persistence and/or command and control.
To protect against potential security breaches, companies and organizations should audit installed remote access tools and identify authorized RMM software.
The use of application controls to prevent the execution of unauthorized RMM software and only utilizing authorized RMM software over approved remote access solutions, such as VPN or VDI, is also recommended, as is blocking both inbound and outbound connections on standard RMM ports and protocols.