The LockBit ransomware group is leveraging remote monitoring and management (RMM) software to expand its influence in targeted networks. Instead of relying on malware, the group aims to acquire valid credentials and utilize them for unauthorized access. This shift towards avoiding malware has become a common trend among threat actors, often referred to as Living off the Land (LotL). This approach enables them to establish persistence and potentially move within networks without detection.
The Cybersecurity & Infrastructure Security Agency (CISA) issued a cybersecurity advisory highlighting LockBit's favored tactics, techniques, and procedures (TTPs), including their use of RMMs. By exploiting legitimate software already present in the environment, malicious activities may go unnoticed initially. To protect against such abuses, organizations are advised to implement multi-factor authentication (MFA), strict access controls, and prioritize endpoint monitoring.
According to CrowdStrike's 2023 Threat Hunting Report, Falcon OverWatch observed the use of RMM tools in around 14% of all intrusions. Additionally, the volume of intrusions involving the utilization of RMM tools by threat actors increased by 312% year over year.
Relevance
IT Infrastructure Security
Ransomware Campaigns
Recommendations
Conduct a comprehensive analysis of the installed applications and observed executables within the organization to identify any outliers that may indicate the presence of unapproved RMM tools.
Properly configure firewalls, application firewalls, and proxies to limit outgoing traffic to sites and services used by remote access tools. The primary purpose of abusing RMM software is to establish a Command and Control (C2) channel.
RMM tools may modify host firewall rules during the installation process. Monitor for any unexpected changes in host firewall rules, as they may indicate an unauthorized application installation performed these changes.
When new tools are identified or known tools add new functionality, research the new RMM behaviors and actively review logs to find evidence of execution.
Prepare your organization
Enforce MFA for all RMM access, VPNs and other key software systems.
Ensure strong and unique passwords.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location.
Maintain offline backups of data, and regularly maintain backup and restoration (daily or weekly at the minimum). By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
Protect your organization with 24x7x365 monitoring, including your IT environment, networks, endpoints, and logs.
References
1. LockBit Is Using RMMs to Spread Its Ransomware. (2023, September 18). Dark Reading. https://www.darkreading.com/threat-intelligence/lockbit-using-rmms-spread-ransomware
2. CrowdStrike. (2023). 2023 Threat Hunting Report | CrowdStrike. crowdstrike.com. https://www.crowdstrike.com/resources/reports/threat-hunting-report/
How can CyberForce|Q services help you address this risk?
Interested in protecting your organization with 24x7x365 monitoring, reach out to us to discuss our Security Operation Center offerings. CyberForce|Q can assist if you have an incident, as our Incident Response Team can be deployed 24x7x365 – reach out to solutions@cyberforceq.com.
Learn more about CyberForce|Q.