Huntress, in its latest report addressing threats faced by small- and medium-sized businesses (SMBs), highlighted a concerning trend: threat actors are increasingly exploiting legitimate tools rather than relying on conventional malware in their attacks. The report, based on incidents recorded in the third quarter of 2023, revealed that nearly 3 out of 5 attacks were devoid of malware, employing various intrusion methods to blend into legitimate network operations and evade detection.
While malware still accounts for a significant 44% of incidents, attackers are notably gravitating toward exploiting scripting frameworks and legitimate tools like remote monitoring and management (RMM) software to infiltrate victim networks. Huntress emphasized that approximately two-thirds of the observed incidents in Q3 involved some form of RMM software credential theft or capture.
Highlighting specific instances, the report detailed how threat actors leveraged tools like ScreenConnect and AnyDesk, now ConnectWise Control, to breach networks. For instance, exploiting a locally hosted instance of ScreenConnect from a third-party pharmaceutical vendor facilitated access to multiple healthcare organizations’ networks, resulting in attacks against a pharmacy and health clinic. Additionally, attackers initiated financially motivated attacks targeting federal employees by employing phishing emails disguised as help desk communications, compelling staff to download RMM software and enabling the theft of money from victim bank accounts.
The Cybersecurity and Infrastructure Security Agency (CISA) expressed growing concern regarding the exploitation of RMM software, particularly in attacks against managed service providers (MSPs) that subsequently grant access to numerous customer networks. Authorities urged increased information sharing among vendors to educate SMBs about the risks associated with RMM infrastructure and recommended steps to mitigate these threats.