Paul Bergman

Category: Secure Networking

  • When Trusted RMM Tools Become the Attacker’s Backdoor

    When Trusted RMM Tools Become the Attacker’s Backdoor

    The Skeleton Key Problem: When Trusted RMM Tools Become the Attacker’s Backdoor

    Remote Monitoring and Management tools are a cornerstone of modern IT and MSP operations. They are powerful, deeply trusted, and designed to give administrators broad control over endpoints. That trust is exactly what makes them so dangerous when abused.

    A recent analysis from KnowBe4 highlights a growing threat they call the “Skeleton Key” problem. Attackers are weaponizing legitimate RMM tools to gain persistent, stealthy access to victim environments.

    This is not about exploiting obscure malware. It is about abusing the same tools defenders rely on every day.

    How the Attack Works

    The core idea is simple and effective.

    Attackers obtain access to an environment through a familiar initial vector such as phishing, credential theft, or exploitation of an exposed system. Once inside, instead of deploying noisy malware, they install a legitimate RMM agent.

    Because RMM software is trusted by default in many environments, it often bypasses security controls, application allowlists, and even user suspicion. From that point forward, the attacker has what amounts to a master key.

    They can:

    • Execute commands remotely
    • Deploy additional payloads
    • Maintain persistence across reboots
    • Blend in with legitimate administrative activity

    To security tools and logs, this can look like normal IT management traffic.

    Why RMM Abuse Is So Hard to Detect

    Traditional security thinking focuses on blocking unknown or malicious software. RMM flips that model on its head.

    These tools are:

    • Digitally signed
    • Widely used by MSPs and internal IT teams
    • Designed to run continuously in the background

    When attackers use them, they inherit that trust. Alerts that would normally fire for remote execution or system changes may never trigger because the activity is coming from an approved tool.

    In effect, the attacker is living off the land using enterprise grade software.

    The Growing Risk for MSPs and SMBs

    This threat is especially concerning for MSPs and the small and mid sized businesses they support.

    If an MSP RMM platform is compromised or abused, attackers can potentially pivot across multiple client environments. That turns a single intrusion into a supply chain event.

    Even in single tenant environments, unmanaged or poorly governed RMM usage creates blind spots where attackers can persist for long periods without detection.

    Defensive Takeaways That Actually Matter

    The lesson is not to abandon RMM. That is unrealistic. The lesson is to treat RMM as a high risk asset that deserves the same governance as privileged access.

    Key defensive steps include:

    • Strict control over who can deploy RMM agents
    • Monitoring for new or unauthorized RMM installations
    • Logging and reviewing RMM initiated actions as privileged events
    • Tying RMM usage to strong identity controls and MFA
    • Periodic audits of all remote management tools in use

    If your security stack cannot tell the difference between authorized and unauthorized RMM activity, you have a visibility gap.

    Credit and Further Reading

    This post is based on and inspired by the excellent analysis from KnowBe4 titled “The Skeleton Key: How Attackers Weaponize Trusted RMM Tools for Backdoor Access.”
    Full credit goes to the KnowBe4 research team for clearly articulating this emerging threat and why it matters.

    If you manage endpoints, run an MSP, or advise organizations on cybersecurity risk, this is required reading.

    In Summary

    Attackers are not always breaking in with exotic malware. Sometimes they are walking through the front door using tools you already trust.

    If RMM is your skeleton key, make sure you control who holds it.

  • Why Antivirus Alone Isn’t Enough

    Why Antivirus Alone Isn’t Enough

    As business leaders navigating today’s complex digital landscape, we all understand the importance of safeguarding our organizations against cyber threats. Yet, despite the awareness of these threats, many companies continue to rely solely on traditional antivirus software as their primary defense against cyber attacks. Recent developments, such as the emergence of tools like the AVNeutralizer—being sold by the notorious FIN7 hacking group—highlight the urgent need for a more comprehensive approach to cybersecurity.

    Understanding the Modern Threat Landscape

    In the ever-evolving world of cybersecurity, threats have become more sophisticated and targeted. Hackers, like those in the FIN7 group, are constantly devising new tools and techniques to bypass traditional defenses. The AVNeutralizer tool is just one example. This tool is specifically designed to disable antivirus software, rendering it ineffective and leaving organizations vulnerable to further attacks.

    If a single piece of malware can neutralize your antivirus, what does that mean for your overall security posture? It underscores a critical point: antivirus software, while still an important component of cybersecurity, cannot be the only line of defense.

    The Need for a Layered Security Approach

    To adequately protect your business, you need to implement a layered defense strategy. Think of your cybersecurity like an onion, with multiple layers of security measures designed to protect your sensitive data and infrastructure. Here’s how you can start building that robust defense:

    1. Endpoint Protection Beyond Antivirus: Modern endpoint protection tools offer more than just antivirus capabilities. They include features such as behavioral analysis, which can detect suspicious activity that might otherwise go unnoticed by traditional antivirus software. By monitoring the behavior of applications and processes, these tools can identify threats in real-time, even those that have never been seen before.
    2. Network Segmentation and Firewalls: By segmenting your network, you can limit the movement of a hacker who has gained access to one part of your system. Firewalls and intrusion detection systems (IDS) add additional layers of defense by monitoring and controlling incoming and outgoing network traffic.
    3. Regular Software Updates and Patch Management: Cyber attackers often exploit vulnerabilities in outdated software. Ensuring that all systems and applications are up-to-date with the latest patches can close these gaps and prevent attacks.
    4. Employee Training and Awareness: Many cyber attacks begin with a simple phishing email. Training your employees to recognize these threats can be one of your most effective lines of defense. Regularly updated training programs ensure that your team is aware of the latest tactics being used by hackers.
    5. Multi-Factor Authentication (MFA) and Strong Password Policies: Simple passwords are easy targets for hackers. MFA adds an extra layer of security by requiring a second form of verification, making unauthorized access more difficult.
    6. Backup and Disaster Recovery Planning: Even with the best defenses in place, breaches can happen. Having a solid backup and disaster recovery plan ensures that your business can quickly recover from an attack without significant data loss or operational downtime.

    Moving Forward with a Proactive Mindset

    In today’s cybersecurity landscape, adopting a proactive mindset is crucial. Rather than waiting for an attack to happen and then reacting, a layered defense strategy anticipates potential threats and puts safeguards in place to address them. This approach not only minimizes the damage from a possible breach but also enhances your organization’s overall resilience.

    In summary, while antivirus software remains a vital component of your cybersecurity toolkit, it should be viewed as part of a larger, more comprehensive strategy. By implementing a layered defense, you can better protect your organization from the sophisticated threats that are becoming increasingly common. As business leaders, we have a responsibility to stay informed and take the necessary steps to safeguard our companies and stakeholders in this ever-changing digital world.

    Remember, cybersecurity is not a one-time effort but an ongoing process. Stay vigilant, stay informed, and invest in a layered defense strategy that keeps your organization secure.

    Read more about FIN7: https://www.blackhatethicalhacking.com/news/fin7-hacking-group-selling-avneutralizer-tool-to-other-hackers/

  • Microsoft’s Security Reputation: A Balanced Perspective

    Microsoft’s Security Reputation: A Balanced Perspective

    When it comes to the security of tech giants like Microsoft, Apple, Google, and various Linux distributions, the headlines can often be misleading. Microsoft, with its extensive range of products, frequently comes under fire for the sheer volume of security vulnerabilities reported. However, a deeper dive into the statistics reveals a more nuanced picture that deserves attention.

    The Misleading Nature of Raw Data

    At first glance, Microsoft seems to have a disconcerting number of security vulnerabilities. This perception stems from the absolute numbers reported, which indeed are higher than those of its competitors. However, this figure does not take into account the scale and diversity of Microsoft’s product portfolio, which is significantly larger than that of most other tech companies.

    A Matter of Scale

    To put things in perspective, it’s essential to consider the number of products each company manages. Microsoft, with its vast array of services and software, ranging from widely-used operating systems like Windows to numerous business applications and cloud services, inevitably has more potential points of exposure than companies with fewer products. When adjusted for the number of products, the data tells a different story.

    The Real Comparison

    When comparing the number of vulnerabilities per product, a more accurate measure of a company’s security posture emerges. According to recent analyses, while Microsoft has the highest total number of vulnerabilities, companies like Apple and Google report more vulnerabilities per product, with figures standing at 74 and 56 respectively. Even Debian, often lauded for its stability and security, has a similar rate of 74 vulnerabilities per product.

    Understanding Vulnerability Reporting

    It’s also important to understand the dynamics of vulnerability reporting. Companies with a high level of transparency and a robust reporting mechanism will naturally have higher reported numbers. Microsoft, with its comprehensive approach to cybersecurity, actively encourages the reporting and patching of vulnerabilities, which contributes to its high numbers. I often get information about vulnerabilities reported from Microsoft but far fewer from the other major players. The implication could be that the other players are more secure but the reality may be that the other players simple don’t tell anyone (or don’t know).

    The Role of Active Communities

    Another factor to consider is the role of the community and user base in detecting and reporting issues. Open-source platforms like Debian often benefit from a large community that actively searches for and reports security issues, which can lead to a higher number of reported vulnerabilities but also faster patching and dissemination of information. My personal take on it is that having an open-source platform is a double-edged sword. Community based development sounds great…if the goals of the whole community are aligned. However, bad actors can introduce vulnerabilities far more easily. While a vulnerability could be found it could also live longer in-the-wild simply because there is no formal quality control.

    Microsoft’s Proactive Security Measures

    Microsoft has consistently invested in enhancing its security measures. Its initiatives include regular security updates, the use of advanced threat protection technologies, and extensive resources dedicated to cybersecurity research. The company’s proactive stance on security is aimed at not just remedying vulnerabilities but also at preventing security breaches before they occur.

    The Bigger Picture

    When assessing the security of technology products, it is crucial to look beyond the raw numbers. The number of vulnerabilities reported should be weighed against the number of products managed, the company’s responsiveness to threats, and the overall impact of the vulnerabilities. In this light, Microsoft’s security reputation is more about its transparent reporting and extensive product range rather than a reflection of weak security protocols.

    It’s easy to think of Microsoft as the hated enemy and MANY technologists do. Yet they run around with phones in their pockets that are developed by a company far more secretive and controlling.

    In conclusion, while the headlines may not always be favorable, Microsoft’s approach to security deserves a more considered evaluation. It’s not just about being obligated to do so. The tech giant’s efforts to maintain transparency, encourage reporting, and invest in security innovations are vital components of its strategy to protect users across its vast product ecosystem. Understanding this context is key to forming a balanced view of Microsoft’s security landscape.

    Want to know more?

    Check out the CVE database on vulnerabilities at Mitre: CVE – CVE (mitre.org)
    NIST maintains the National Vulnerability Database (NVD), a repository of information on software and hardware flaws that can compromise computer security. This is a key piece of the nation’s cybersecurity infrastructure. NVD – Home (nist.gov)

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He is also CEO of a mentoring non-profit in San Diego, Lamp of Learning. He writes on cybersecurity and board management for both corporate and nonprofit boards.