"While the crims were ultimately unsuccessful, the security incidents highlight how miscreants love to use legitimate, commercial software for nefarious purposes because it makes it easier for them to hide inside enterprise IT environments. "RMMs and employee monitoring tools blend in amongst legitimate signed binaries," Michael Tigges, senior security operations analyst at Huntress, told The Register, adding that "this is a rare case of the employee monitoring software being co-opted for subsequent access.""
"While neither of the victims' employers uses Net Monitor, repurposing this type of employee monitoring software falls into the "same category of RMM abuse," Tigges said. "Delineating which may be malicious and benign at first glance is exceedingly difficult. Adversaries know this as well. The victims, we're told, were from different industry sectors, and "likely targets of opportunity rather than any specifically targeted group," he added."
In late January and early February, the Huntress response team identified two intrusions in which criminals chained Net Monitor for Employees Professional with the RMM tool SimpleHelp and attempted ransomware deployment. The attackers used legitimate employee monitoring and remote monitoring and management software to blend into corporate environments and mask malicious activity. RMM and monitoring tools often appear as legitimate signed binaries, complicating detection and enabling adversaries to maintain access. Neither victim organization used Net Monitor, suggesting opportunistic targeting across different industry sectors. The monitoring software can establish remote shells and execute commands, making it useful for data loss prevention but also attractive to attackers.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]