Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker's First Choice

SUMMARY :

Threat actors are increasingly using legitimate remote monitoring and management (RMM) tools as initial payloads in email campaigns. This trend aligns with a decrease in the use of traditional loaders and botnets by initial access brokers. RMMs can be exploited for data collection, financial theft, lateral movement, and installing additional malware. Notable RMM tools observed in campaigns include ScreenConnect, Fleetdeck, and Atera. The shift towards RMM usage coincides with law enforcement disruptions of major malware families and a decline in ransomware payments. Specific threat actors like TA583 and TA2725 have been observed incorporating RMMs into their attack strategies. Organizations are advised to restrict unauthorized RMM installations, implement network detections, and train users to identify suspicious activity.

OPENCTI LABELS :

grandoreiro,initial access,remcos,remote access,screenconnect,cybercrime,guildma,astaroth,mispadu,asyncrat,rmm,lumma stealer,email campaigns,netsupport,atera,bluetrait,fleetdeck


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker's First Choice