In December 2024, GoSecure Threat Hunters have identified a concerning use of remote access software by cybercriminals to gain initial access within corporate environments. The attackers start by flooding a victim’s email with spam and then pose as IT support via Microsoft Teams. This social engineering tactic lures victims into installing remote access software, which is then exploited to deploy a custom implant that exfiltrates sensitive information and sets the stage for ransomware attacks.
Why This Matters
The use of remote access software as an attack vector is particularly alarming because it exploits the human element: employees’ trust in their IT departments. This method bypasses typical security measures and allows attackers to gain deep access without immediate detection. The threat actors’ ability to remain undetected on the network long enough to deploy ransomware poses a significant risk to organizational security.
Detection and Monitoring
Our Threat Hunters hypothesized that cybercriminals are leveraging social engineering to exploit remote access software for network infiltration. Through diligent validation and threat hunting, our team confirmed no adversaries were present within our managed clients’ environments. However, we have established robust detection rules to continuously monitor for suspicious activities related to remote access tools:
Detection Rule: Execution of Discovery Techniques followed by RMM Tool Usage
Description: Detects when system information and network configuration commands are followed by the execution of a remote access tool, indicating potential unauthorized activity.
Recommendations
Organizations are advised to standardize the use of remote access software within their environments and block unapproved tools at the network level. We also recommend enhancing endpoint detection capabilities and educating users about the risks associated with unsolicited IT support communications.
Conclusion
The December Threat Hunt highlights the evolving nature of cyber threats and emphasizes the importance of vigilance and advanced detection strategies. GoSecure’s MXDR service is specifically designed to provide comprehensive surveillance and proactive threat mitigation to protect against sophisticated cyber threats, including those utilizing remote access software. For further details on bolstering your defenses, or to discuss our findings and recommendations, please contact us directly at (888)-287-5858 or info@gosecure.ai.
Stay secure!
Your GoSecure Threat Hunting Team
