Cybercriminals are finding new ways to misuse employee monitoring and remote management tools to carry out malicious activities. Recent research reveals that hackers are abusing legitimate applications to gain access to networks, deploy ransomware, and even steal cryptocurrencies. These tactics highlight how tools meant for security and management can be turned against organizations if not properly protected.

Abusing Legitimate Monitoring and Management Software

Researchers at Huntress have uncovered hackers leveraging two specific applications: NetworkLookout’s Net Monitor for Employees Professional and SimpleHelp. Despite its name, Net Monitor for Employees includes remote access features that can be exploited by attackers. SimpleHelp, used by many IT teams and service providers for remote management, has a history of being abused by hackers for persistence after initial access.

The attackers often get into networks by first compromising a vendor or using existing network access. Once inside, they deploy these seemingly legitimate tools to maintain stealthy control. In some cases, the hackers used Net Monitor to remotely access systems, then downloaded SimpleHelp to execute commands and manipulate security settings. This combination of tools offers a sneaky way to hide activities and avoid detection.

Techniques and Tactics Behind the Attacks

One of the key strategies involves “living off the land,” where hackers use legitimate applications already present in the environment. These tools are used to disguise malicious activities, making it harder for security teams to distinguish between normal and harmful actions. For example, attackers used Net Monitor’s reverse connection capabilities to silently connect to compromised systems, while masquerading processes to avoid suspicion.

In one incident, the attacker attempted to deploy Crazy ransomware after gaining access through a vendor’s VPN account. They first manipulated an employee monitoring tool to create new accounts and reset passwords, aiming to establish persistent access. The attacker then tried to deploy ransomware, but the attack was ultimately thwarted. In another case, they used a different compromised VPN to access the network and escalate their control.

These incidents show how hackers are getting more sophisticated, blending legitimate management tools with malicious intent. By using common ports and standard network protocols, they can operate covertly within the network, making detection more difficult for traditional security solutions.

Overall, these attacks demonstrate the importance of monitoring the use of remote management tools and maintaining strict security controls on vendor access. Organizations should be aware of how legitimate applications can be turned into attack vectors and ensure they have proper detection mechanisms in place to catch unusual activity early. As cybercriminals continue to evolve their methods, staying vigilant and proactive is more crucial than ever.

Inspired by

• https://www.computerworld.com/article/4131872/hackers-turn-bossware-against-the-bosses-2.html

Sources

• huntress.com
• huntress.com
• sans.org
• cisa.gov
• csoonline.com