Hunting RATs: How to Mitigate Remote Access Software Risks

Remote access software has been a popular tool for IT administrators, managed service providers (MSPs), SaaS firms and others for many years. It offers an invaluable way to remotely manage and monitor multiple IT and OT endpoints from a single, centralised location. But by the same token, they provide a powerful way for threat actors to bypass corporate defences and remotely access victim networks.

Whether they’re remote access tools (RATs), remote monitoring and management (RMM) products or remote administration solutions, the risk is the same. It’s time to close down a potentially dangerous backdoor into corporate IT environments.

What Are RATs?

Tools like Atera, AnyDesk, ConnectWise, and TeamViewer are well-known in the IT community. Although they’ve been used for years to help admins troubleshoot problems, set up and configure machines, patch endpoints, and more, RATs really came into their own during the pandemic. Yet just as attacks on remote desktop tools ramped up during that period, we also witnessed a growing interest in remote access software as a way to bypass security tools.

They’ve even been deployed in attacks targeting individuals, where the victim is socially engineered into downloading one to their PC or mobile device to provide a fraudster with access to their banking and other accounts. This happens frequently in tech support scams and, most recently, in a sophisticated government impersonation campaign designed to steal victims’ card details.

Why Are RATs Attractive?

It should come as no surprise that threat actors are targeting such tools in greater numbers. They offer a useful way to blend in with legitimate tooling and processes, in a similar way to living off the land (LOTL) attacks. Because remote access software is signed with trusted certificates, it won’t be blocked by anti-malware or endpoint detection and response (EDR) tooling. Other advantages for adversaries include the fact that remote access software:

• May have elevated privileges, making initial access, persistence, lateral movement, access to sensitive resources and data exfiltration easier
• Enables threat actors to carry out intrusions without needing to spend time and money developing malware like remote access Trojans (also abbreviated to “RATs”), which security tools may identify
• Enables adversaries to bypass software management control policies and potentially even execute unapproved software on the targeted machine
• Uses end-to-end encryption, enabling attackers to download files that corporate firewalls would otherwise stop
• Can support multiple simultaneous attacks, for example, via a compromised MSP

How Adversaries Are Targeting Remote Access

According to the US Cybersecurity and Infrastructure Security Agency (CISA), threat actors may either exploit vulnerable versions of remote access software or use legitimate compromised accounts to hijack the use of the tools. Alternatively, they could socially engineer victims into downloading legitimate RMM software or similar. In more sophisticated attacks, they may target a remote access software vendor and manipulate its software with malicious updates. They may also use PowerShell or other legitimate command line tools to covertly deploy an RMM agent on the victim’s machine.

Sometimes, threat actors also use remote access software in concert with penetration testing tools like Cobalt Strike or even remote access malware to ensure persistence. Once they have access to a target network/machine, they can use remote access software to:

• Move laterally through the victim’s network
• Find lists of other systems for lateral movement
• Establish command and control (C2) channels

Such techniques are being used by both cybercrime groups and nation-state operatives for sophisticated data theft operations and ransomware attacks. They’ve been spotted targeting US government employees in financially motivated scams. One security vendor has also warned about the “excessive” use of non-enterprise grade RATs in OT environments, which ends up expanding organisations’ attack surface.

Its research reveals that 79% of firms have more than two such tools installed on OT network devices. Because these lack sufficient access controls and features such as multi-factor authentication (MFA), they’re exposed to hijacking by threat actors.

In the Wild

There are numerous examples of RAT-based breaches with serious consequences over the past few years. They include:

• In February 2024, vulnerabilities in unpatched ScreenConnect software were exploited in multiple organisations to deploy malware on servers and workstations with the remote access software installed.
• In February 2022, CISA and the UK’s National Cyber Security Centre (NCSC) warned of a campaign by Iranian APT group MuddyWater which may have had both cyber-espionage and financial motives. The threat actors used ScreenConnect for initial access and lateral movement.
• In January 2023, CISA warned of a campaign using ScreenConnect and AnyDesk to carry out a “refund scam” on federal government employees. The campaign used phishing techniques to persuade the victims to download the software as self-contained, portable executables, enabling them to bypass security controls.
• In July 2024, a security vendor discovered a modified version of the open-source RMM tool PuTTY (renamed “KiTTY”) which could bypass security controls. The tactic enabled the threat actors to create reverse tunnels over port 443 to expose internal servers to an AWS EC2 box under their control to steal sensitive files.

How to Mitigate Remote Access Attacks

CISA lists a range of host and network-based controls and policy/architectural recommendations that could help build resilience against such attacks. These include:

• Phishing awareness training for employees
• Zero trust and least privilege approaches to identity and endpoint security
• SecOps monitoring for suspicious activity
• External attack surface management (EASM) for improved visibility into unknown and unmanaged assets
• Multi-factor authentication (MFA) for remote access software
• Auditing of remote access software and configurations
• Application controls, including zero-trust principles and segmentation, to manage and control software execution
• Continuous risk-based patching
• Network segmentation to limit lateral movement
• Blocking of inbound/outbound connections on common RMM ports and protocols
• Web app firewalls (WAFs) to protect remote access software

However, the security agency also recommends organisations “maintain a robust risk management strategy based on common standards, such as the NIST Cybersecurity Framework”. Javvad Malik, lead security awareness advocate at KnowBe4, agrees.

“The NIST framework’s core functions provide a comprehensive approach to managing RMM tool risks,” he tells ISMS.online.

“This includes maintaining an inventory of systems with RMM software, enforcing strong authentication, implementing behavioural analytics for anomaly detection, developing specific incident response playbooks, and ensuring business continuity plans account for RMM tool dependencies.” Malik adds that ISO 27001 can also help mitigate the risks of using remote access software.

“ISO 27001’s controls on access management, cryptography, operations security, and supplier relationships provide a solid foundation,” he explains. “For example, organisations can implement formal RMM tool access management processes, ensure encrypted remote sessions, and set up automated alerts for unusual activities.”

Ian Stretton, director of EMEA at cybersecurity consultants Green Raven, agrees that “successful cybersecurity is based on firm foundations such as ISO 27001”.

He tells ISMS.online that one key tenet of such approaches is to deploy continuous monitoring backed by threat intelligence.

“This is brought into sharper focus by the adoption of AI by threat actors as a challenge to AI-based defence tools,” Stretton concludes.

“The deployment of tools such as anomaly detection systems that specifically monitor for suspicious behaviours in AI processes – such as misclassification, sudden shifts in decision-making logic or other behaviour – can aid in combating this type of AI-based threat.”