Winning over a new managed services customer who was dissatisfied with their previous MSP is awesome. Onboarding that new customer is an awesome responsibility when it comes to dealing with any legacy RMM tools that the previous MSP may have deployed and left in place. The tasking can be cumbersome, if not daunting. These legacy, unattended tools can significantly increase the attack surface of your SMB customer’s infrastructure, and possibly, your own.
Fortunately, it is relatively easy to identify, address, and mitigate this unnecessary risk and exposure by performing an assessment and asset inventory as part of your onboarding.
Security operations center analysts have observed the use of legacy RMM tools, for instance, that are still in place and providing access to endpoints. While these tools are no longer used for their original intent, threat actors can use them to gain access to the endpoints (and, by extension, the SMB infrastructure) for malicious purposes. Often, hackers obtain the necessary credentials through some other means. For instance, information stealers have been known to target certain RMM tools, and keystroke loggers can provide keys typed into specific application windows. Cyberthieves can also purchase access from initial access brokers (IAB), parties operating within the criminal underground who specialize in selling the means to access to a wide array of organizations.
The Need To Practice Good IT Hygiene
Two basic tenets of good IT hygiene and management are having an asset inventory, and then using that asset inventory to perform attack surface reduction. An asset inventory not only accounts for physical and virtual systems, but also the applications running and accessible on those endpoints. This includes (but is not limited to) users who interact with files, as well as the RMM tools administrators use to interact with systems. This inventory should include any tooling deployed and used by the previous MSP, particularly security and RMM tools. Security experts strongly recommend that you remove these tools as part of your onboarding.
Failure to address these vulnerabilities can extend the attack surface. This complicates your tasks as you bring that new customer on board, and exposing them to significant risks. These vulnerabilities serve as potential entry points for cyberthreats, emphasizing the importance of proactive risk identification and mitigation.
RELATED: Sharing Cybersecurity Info: Getting By With A Little Help From Your Friends
Examples of the risks associated with these tools can include the previous MSP being breached, leading to the compromise of SMBs that are no longer active customers, or of the SMBs being breached as the installed tooling is no longer actively managed, updated, or monitored. If you are not aware of the tooIs in place from the previous MSP, that means no one is actively managing and updating them. It’s simply a matter of time before a vulnerability is discovered, a proof of concept exploit is published, and the application vendor issues a patch. However, because no one is managing that legacy application, it’s not receiving those updates and becomes a potential point of vulnerability and risk for your customer.
The Threat Is Real
Analysts have observed and investigated several incidents involving legacy RMM tools being accessed via compromised credentials. These incidents have included further credential theft and data exfiltration, as well as the deployment of cryptocurrency miners and ransomware. While some may perceive cryptocurrency miners as less harmful compared to threats like data theft or ransomware, they can still inflict significant damage on organizations. The access method used to install these miners has the potential to lead to additional data breaches, credential theft, and even ransomware deployment—-underscoring the need for organizations to address them as legitimate risks. Simply removing a cryptocurrency miner does nothing to address the threat actor’s original means of access.
Something else analysts have seen is a threat actor using one means of access, such as legacy RMM tooling, to establish persistence by installing another, possibly disparate remote access tool. As such, it’s not unusual for SOC analysts and incident responders to find endpoints with multiple remote access tools installed, and based on logs, in active use. As it turns out, some MSPs adopt a degree of “RMM disciple,” with all analysts and technicians using one common remote access tool, each with their own accounts. However, in other cases, an MSP may allow technicians to use their remote access tool of choice, making it difficult to determine which tools are legitimate, and which ones a threat actor deployed and used.
These incidents simply highlight the need for identification, configuration, and close monitoring and management of RMM tools. As part of managing these applications, timely patching is imperative—as with other business-critical applications—to address the risk associated with the potential exposure.
