Dive Brief:

  • Threat actors targeting small- and medium-sized businesses are keen to exploit legitimate tools and less inclined to use conventional malware in their attacks, according to Huntress’ threat report for SMBs
  • Nearly 3 in 5 incidents recorded by Huntress during the third quarter of 2023 were free of malware across multiple types of intrusions. 
  • “While custom or outright malicious tools still feature in events, adversaries are largely seeking to blend in to legitimate network operations through multiple mechanisms to evade detection and response,” Huntress said Tuesday in the report. 

Dive Insight:

Malware remains a significant threat for SMBs, accounting for 44% of all incidents in Q3, Huntress research found. But attackers are more commonly exploiting scripting frameworks or legitimate tools, such as remote monitoring and management software, to intrude victim networks. 

Nearly two-thirds of incidents observed by Huntress during Q3 involved some form of RMM software credential theft or capture. 

Threat actors abused a third-party pharmaceutical vendor’s locally hosted instance of ScreenConnect to gain access to multiple healthcare organization’s networks this summer, according to Huntress. The threat actor installed additional RMM software to ensure persistent access to victim networks, resulting in attacks against a pharmacy and health clinic.

Attackers also exploited legitimate RMM tools, such as AnyDesk and ScreenConnect, now ConnectWise Control, to target federal employees in a widespread campaign starting in June 2022. 

In the financially-motivated attacks, threat actors sent help desk themed phishing emails to lure civilian executive staff to download RMM software to steal money from victim bank accounts, federal cyber authorities warned in a joint cybersecurity advisory earlier this year.

Exploitation of and attacks involving RMM software present a growing risk to SMBs, according to the Cybersecurity and Infrastructure Security Agency.

Threat actors are also exploiting RMM to intrude managed service provider servers and gain access to thousands of customer networks, cyber authorities warned in the 2023 Joint Cyber Defense Collaboration Planning Agenda released in August.

Cyber authorities urged vendors in the space to boost information sharing to inform SMBs of the dangers to RMM infrastructure and steps organizations can take to mitigate risk.