Skip to main content
close search
site logo
Dive Brief

SMBs hit by rise in legitimate tool-based attacks

Attackers are moving away from malware and evading detection by abusing remote monitoring and management software, according to Huntress research.

Published Nov. 21, 2023
Matt Kapko's headshot
Senior Reporter
Programming scripts on laptop monitor, unauthorized remote hacking of server
Motortion via Getty Images

Dive Brief:

  • Threat actors targeting small- and medium-sized businesses are keen to exploit legitimate tools and less inclined to use conventional malware in their attacks, according to Huntress’ threat report for SMBs
  • Nearly 3 in 5 incidents recorded by Huntress during the third quarter of 2023 were free of malware across multiple types of intrusions. 
  • “While custom or outright malicious tools still feature in events, adversaries are largely seeking to blend in to legitimate network operations through multiple mechanisms to evade detection and response,” Huntress said Tuesday in the report. 

Dive Insight:

Malware remains a significant threat for SMBs, accounting for 44% of all incidents in Q3, Huntress research found. But attackers are more commonly exploiting scripting frameworks or legitimate tools, such as remote monitoring and management software, to intrude victim networks. 

Nearly two-thirds of incidents observed by Huntress during Q3 involved some form of RMM software credential theft or capture. 

Threat actors abused a third-party pharmaceutical vendor’s locally hosted instance of ScreenConnect to gain access to multiple healthcare organization’s networks this summer, according to Huntress. The threat actor installed additional RMM software to ensure persistent access to victim networks, resulting in attacks against a pharmacy and health clinic.

Attackers also exploited legitimate RMM tools, such as AnyDesk and ScreenConnect, now ConnectWise Control, to target federal employees in a widespread campaign starting in June 2022. 

In the financially-motivated attacks, threat actors sent help desk themed phishing emails to lure civilian executive staff to download RMM software to steal money from victim bank accounts, federal cyber authorities warned in a joint cybersecurity advisory earlier this year.

Exploitation of and attacks involving RMM software present a growing risk to SMBs, according to the Cybersecurity and Infrastructure Security Agency.

Threat actors are also exploiting RMM to intrude managed service provider servers and gain access to thousands of customer networks, cyber authorities warned in the 2023 Joint Cyber Defense Collaboration Planning Agenda released in August.

Cyber authorities urged vendors in the space to boost information sharing to inform SMBs of the dangers to RMM infrastructure and steps organizations can take to mitigate risk.

Filed Under: Cyberattacks, Threats

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell