RMM vulnerabilities are taking down a lot of MSPs. Follow these steps to avoid them.
Over the past year hackers have their targets set for MSPs. They have learned—and still are learning— that one of the easiest ways to break into MSP’s clients are through RMM vulnerabilities. Once in they have access to all of your customers. These attacks have crippled MSP businesses around the globe.
The bad news with RMM tools is that the very features that make them useful and easy—monitoring and manipulation of remote systems—makes them extremely dangerous. If you are using an RMM tool to manage accounts, it is likely no surprise that security is a big issue.
The problem is that many MSPs that we’ve audited with RMM tools set up their RMM tools and forget about the security issues. Even several security-conscious MSPs have mistakenly left security holes large enough for attackers to exploit in their RMM configurations.
Today I want to walk through some steps you can take to harden your RMM.
First, some of the issues I have found when evaluating MSPs:
Is MFA turned on for all RMM management accounts?
Do you prevent Powershell execution on all hosts or at least limit Powershell?
Do you change your RMM passwords regularly?
Have you deployed some endpoint protections that do not rely on your RMM exclusively for signaling a problem?
Are you reducing your RMM user accounts to bare minimum? Do you audit them regularly?
RMM attacks will eventually lead to broader threats down the horizon.
Hardening your RMM doesn’t have to be complicated. I would start with 3 simple steps:
Train—train your employees to be aware of phishing attacks, especially those related to critical infrastructure or accounts within your environment. Number one on the list would be your RMM tools.
Limit RMM integrations—in order to protect your clients and data, try to separate your data protection infrastructure from your RMM platform. If you are using a one in all solution, you might be putting yourself at risk of an attack that could jeopardize your entire network. The more difficult you make it for an attacker to compromise elements (especially critical ones) of your or your clients’ networks, the harder you’ll make it for them simply to deploy ransomware through your RMM.
Evaluate your backups—consider using a backup solution that prevents malware from deleting the backup. Make sure that your backup software is off network and that you will be able to access everything—including configurations—if you ever had an issue. I’d highly recommend disentangling your backup solution from your RMM to avoid any risk of an RMM-based attack impacting your backups.
Overall, the question is not what you are doing to protect your RMM.
You can’t protect against everything all the time—zero-day vulnerabilities or disgruntled employees.
But you can do better with awareness, training and process. Do you have a regular credential audit? Patching regime that includes validation? Methods and standards for logging in and monitoring networks?
The clear indication of threats within MSPs is to be auditing yourself—to have eyes on your systems and a process for dealing with anomalies.
Unless you have processes for evaluating and course correcting, you are probably like the many MSPs putting their clients (and themselves!) at risk.
One of the easiest ways to address this is through a third party assessment of your systems and security stack to make sure its working the way you expect it to.
