Cybercriminals are increasingly abusing remote monitoring and management (RMM) tools, which are supposedly designed for remote maintenance. They use this method to penetrate corporate systems via email campaigns and infect them with malware, according to the results of a recently published study by cybersecurity experts.
Originally developed for remote computer maintenance, RMM tools are now being abused by attackers for data theft, financial fraud, and the distribution of malware—including ransomware. While the use of traditional malware loaders and botnets by Initial Access Brokers (IABs) is declining, RMM tools such as ScreenConnect, Fleetdeck, and Atera are gaining traction in the threat landscape.
Companies should restrict unauthorized RMM tools
Law enforcement agencies dismantled key malware infrastructures in "Operation Endgame" last May. This led to a decline in IAB activity, prompting attackers to increasingly rely on social engineering tactics, particularly phone-based attacks (TOAD). Known threat actors such as TA583 and TA2725 are deliberately targeting RMM tools to gain unauthorized initial access to networks.
To protect themselves, companies should restrict the use of unauthorized RMM software, identify suspicious activity through network and endpoint detection, and educate employees about social engineering attacks. Because RMM tools often appear legitimate, targeted security measures are essential to prevent their misuse.
About Proofpoint Proofpoint, Inc. is a leading cybersecurity company. The focus for Proofpoint is the protection of employees. Because these mean the greatest capital for a company, but also the greatest risk. With an integrated suite of cloud-based cybersecurity solutions, Proofpoint helps organizations around the world stop targeted threats, protect their data, and educate enterprise IT users about the risks of cyberattacks.