Cybercriminals are always finding new ways to bypass security and stay in compromised networks.
Ransomware Alert
Cybercriminals are constantly on the lookout for new ways of bypassing security measures and maintaining access to compromised networks.
Something we’re increasingly seeing recently - particularly in ransomware cases - is threat actors exploiting the functionality provided by what are known as remote access tools (RATs).
RATs like TeamViewer and AnyDesk were originally designed to enable remote IT support, offsite working and collaborative environments. But cybercriminals have found ways of leveraging their functionality to establish exfiltration channels and data persistence mechanisms.
Businesses and individuals alike need to reevaluate their cybersecurity posture as a matter of urgency to protect themselves against these increasingly sophisticated attacks.
What are remote access tools?
Remote access tools are software programs that allow users to control a computer or a network remotely, often in real-time. IT administrators, helpdesk teams, and technicians commonly use RATs to provide support to users or to manage devices from a distance. They allow users to perform tasks like troubleshooting, system maintenance, software installations and remote collaboration.
Tools like TeamViewer and AnyDesk provide encrypted connections and are widely considered secure. This has made them a popular solution among individuals and organisations providing legitimate remote assistance. But RATs’ security features also make them appealing to malicious actors who want to evade detection and gain control over victims’ systems.
How are threat actors using RATs?
Cybercriminals are increasingly using RATs to carry out a variety of malicious acts, particularly in ransomware attacks. There’s a variety of ways in which they can be used:
Establishing persistence
Once a threat actor has successfully infiltrated a system, maintaining long-term access will often be crucial to achieving their objectives. RATs can be deployed as persistence mechanisms, enabling attackers to retain access even after an initial ransomware deployment. Many RATs are deliberately designed to fly beneath the radar and can operate discreetly in the background. This enables such tools to avoid triggering traditional security alerts. But this also means that, once they have deployed a RAT, cybercriminals can log in remotely whenever they like to make changes, install additional malware, or even take control of multiple systems within a compromised network - without raising suspicion.
Uploading additional tools or malware
One of main ways attackers use RATs is to deliver additional payloads and/or malware to their victim’s system. After encrypting files or disrupting operations with ransomware, attackers will often use RATs to upload additional tools such as keyloggers, credential stealers and network-mapping utilities. These help attackers move laterally within a network, escalate privileges, and, ultimately, gain broader control over the infrastructure. RATs can make this process seamless by allowing attackers to upload files and run scripts directly from their remote session. They can also allow cybercriminals to delete evidence of their presence, remove logs or disable security software, further compounding the challenge of detecting an attack.
Exfiltrating data
Before deploying ransomware that locks files and demands a ransom, threat actors often exfiltrate sensitive data which they can use to pressure victims into paying. RATs offer a convenient way to remotely access, browse, and transfer files out of compromised systems. Attackers can search for sensitive data - for example, financial records, customer information, intellectual property or login credentials - then silently exfiltrate that data to a remote server or to cloud storage.
Avoiding detection
One of the most attractive aspects of RATs, from a cybercriminal’s point of view, is their widespread use for entirely legitimate purposes. RATs like TeamViewer and AnyDesk are widely trusted remote administration tools. This makes it much less likely that traditional detection systems will flag their use as suspicious. So, attackers have a ready-made means of operating covertly. RATs can help threat actors bypass firewalls, intrusion detection systems (IDSs), and endpoint security measures. Many RATs also support the obfuscation and encryption of traffic, making it even harder for network monitoring tools to detect unusual activity. RATs can simply blend into the general background noise created by regular remote access, evading detection while attackers continue to operate undisturbed.
Defending against RAT-enabled ransomware attacks
Given the widespread use and availability of RATs, defending against these types of attacks requires adopting a multi-layered approach to cyber security. Here are some best practices to consider:
Monitor for unauthorised remote access
Implementing robust monitoring solutions can help detect any unauthorised use of RATs. It is important to audit remote access logs regularly, verify user permissions, and restrict the use of RATs and similar tools to authorised personnel only.
Deploy endpoint detection and response (EDR) solutions
EDR solutions like behavioural analysis can help detect anomalous RAT-related activity - even if the tool being used is a perfectly legitimate application. EDR platforms can flag unusual network traffic, abnormal file transfers or unauthorised login attempts. This provides an early warning system for indicators of a potential attack.
Implement strong access controls
Limiting access to critical systems and enabling multi-factor authentication (MFA) for remote access tools can significantly reduce the chances of unauthorised use. Disabling or restricting remote access out of hours can further limit attackers’ window of opportunity.
Update and patch systems regularly
Many ransomware groups exploit known vulnerabilities to gain initial access. Regularly patching systems, applications and remote access tools helps close security gaps and prevent exploitation.
Educate your employees
Phishing remains one of the most common entry points for ransomware. Employees should be educated on the dangers of phishing attacks and the importance of verifying the legitimacy of emails, links and attachments before clicking.
Conclusion
As the methodology of ransomware attacks continue to evolve, we can expect to see increasingly widespread use of RATs by cybercriminals to maintain persistence, deliver malware, and exfiltrate sensitive data. By exploiting tools originally designed for legitimate purposes, cybercriminals have found a way to bypass traditional security measures and fly under the radar for longer. To defend effectively against these threats, organisations need to adopt a proactive and comprehensive cybersecurity strategy. That strategy needs to include monitoring, access controls, regular patching, and employee education. This will enable businesses to protect themselves more effectively against the growing wave of ransomware attacks leveraging the functionality of remote access tools.
Yvette Peterson, Senior Incident Response Consultant
