Cyber authorities are working to mitigate threats to remote monitoring and management tools with assistance from the government and private sector.

The defense plan from the Joint Cyber Defense Collaborative “addresses issues facing top-down exploitation of RMM software,” which present a growing risk to small- and medium-sized businesses, the Cybersecurity and Infrastructure Security Agency said.

The 2023 Joint Cyber Defense Collaboration Planning Agenda established CISA’s efforts to reduce risk in the supply chain for SMB critical infrastructure entities. Three areas of focus this year include RMM, managed service providers and managed security service providers.

Threat actors are exploiting RMM to intrude managed service provider servers and gain access to thousands of customer networks, cyber authorities warned.

CISA identified malicious use of legitimate RMM across a widespread campaign targeting AnyDesk and ScreenConnect  — now ConnectWise Control — in late 2022, according to a January cybersecurity advisory.

Threat actors have exploited RMM to establish a foothold that provides access to multiple victim networks and evade detection without triggering security defenses.

“The benefits RMM provides to system administrators — remote access and configuration and control of an endpoint — are the same reasons a threat actor finds RMM software to be an attractive target,” Melissa Bischoping, director of endpoint security research at Tanium, said via email.

“These types of applications are popular living off the land resources for attackers because they are unlikely to trip common EDR or antivirus detections and often operate with a high level of permissions on the devices they control,” Bischoping said.

The RMM Cyber Defense Plan calls for vendors in the space to boost information sharing and increase visibility around cyber threats and vulnerabilities. The effort also focuses on educating organizations of the dangers to RMM infrastructure and how they can improve security practices to mitigate risk.