As cyber-attacks continue to evolve, remote monitoring and management (RMM) tools have become a prime target for hackers seeking unauthorized access to networks. Today, we’re speaking with Rupert Marais, our in-house security specialist with deep expertise in endpoint and device security, cybersecurity strategies, and network management. With years of experience in analyzing emerging threats, Rupert offers invaluable insights into how tools like ScreenConnect are being exploited by attackers. In this conversation, we dive into the reasons behind the growing focus on RMM platforms, the specific ways legitimate features are misused, the challenges defenders face in detecting these threats, and the critical indicators that can help uncover malicious activity.
What makes remote monitoring and management tools like ScreenConnect so essential for IT administrators, and why are they increasingly becoming a target for cyber-attacks?
RMM tools like ScreenConnect are a lifeline for IT administrators because they enable remote support, device management, and task deployment across a wide range of operating systems like Windows, macOS, and even mobile platforms. They allow IT teams to troubleshoot issues, push updates, or provide assistance without needing physical access to a device, which is incredibly efficient, especially for distributed workforces. Features like unattended access and file transfer make these tools powerful for legitimate use. However, those same capabilities are a goldmine for attackers. Hackers target RMM platforms because they provide direct, often privileged access to systems. Once inside, they can blend in with normal activity since these tools are trusted by design, making them a perfect entry point for phishing attacks or other initial access methods.
Can you explain the shift in focus among attackers from tools like AnyDesk to ScreenConnect, and what’s driving this change?
Sure, what we’ve seen is that AnyDesk, while still used, has become much easier to detect due to increased scrutiny and improved security measures around it. Defenders have gotten better at spotting its misuse through signatures and behavioral analysis, so attackers are pivoting to alternatives that fly under the radar. ScreenConnect has gained traction because it’s widely used in enterprise environments, which means it’s less likely to raise red flags right away. Plus, its robust feature set—like custom URLs, invite links, and cross-platform support—gives attackers a lot of flexibility to craft convincing phishing campaigns or establish persistent access without drawing immediate attention.
How are attackers exploiting the legitimate features of ScreenConnect to infiltrate networks?
Attackers are incredibly crafty in abusing features that were built for convenience. For instance, unattended access allows them to connect to a device without user interaction, which is great for IT support but disastrous if a malicious actor has control. File transfer capabilities let them upload malware or exfiltrate data seamlessly. They also exploit the management console to create custom URLs or invite links, which are meant to simplify remote connections but are repurposed for phishing. Victims click these links, thinking they’re legitimate, and end up installing a malicious client that gives attackers a foothold. It’s a classic case of turning a tool’s strengths into a weapon.
What role does running mostly in memory play in helping attackers avoid detection with ScreenConnect?
When the ScreenConnect client runs primarily in memory, it leaves very little footprint on the disk. Traditional antivirus or endpoint detection tools often rely on scanning files for malicious signatures, but if there’s nothing substantial to scan on the hard drive, those defenses can miss the threat entirely. This in-memory behavior makes it incredibly tough to spot unless you’re specifically looking at memory processes or conducting deeper behavioral analysis, which not all organizations have the resources to do effectively.
Can you break down how attackers use ScreenConnect for persistence and lateral movement within a compromised network?
Absolutely. For persistence, once the ScreenConnect client is installed, it often registers as a Windows service. That means it starts automatically whenever the system boots up, giving attackers a reliable way to maintain access over long periods without needing to re-infect the device. As for lateral movement, that refers to how attackers spread from one system to another within a network. ScreenConnect’s ability to manage multiple devices and its VPN-like functionality make it easy for them to hop between machines, escalate privileges, or deploy additional payloads, all while appearing as legitimate administrative activity.
What are some of the biggest challenges defenders face when trying to detect misuse of ScreenConnect?
One of the biggest hurdles is the minimal disk presence I mentioned earlier. If there’s little to no trace on the hard drive, standard forensic tools might not pick up anything suspicious. Another challenge is that chat data between operators and victims isn’t stored on disk—it’s held in memory. This means if you’re investigating after the fact, you might miss critical evidence unless you’ve captured memory data during the incident. Combine that with the fact that ScreenConnect is a legitimate tool, and distinguishing between normal and malicious use becomes a real puzzle for defenders.
The research highlights specific indicators like event logs and configuration files. Can you explain why these are so important for identifying potential misuse?
Event logs and configuration files are like breadcrumbs for investigators. For example, Security Event ID 4573 and Application Log events 100 and 101 can signal unusual activity tied to ScreenConnect’s operations, such as unauthorized access attempts or abnormal service behavior. Configuration files like user.config and system.config are also critical because they store details like hostnames, IP mappings, and encrypted keys. By analyzing these, you can trace connections back to suspicious domains or uncover evidence of tampering. These indicators are often the only way to piece together what happened during an attack, especially when other traces are minimal.
What is your forecast for the future of threats involving remote monitoring and management tools like ScreenConnect?
I think we’re going to see RMM tools remain a top target for attackers because they’re so deeply embedded in enterprise environments and inherently trusted. As defenders get better at detecting misuse, I expect threat actors to become even more sophisticated, perhaps by leveraging automation or AI to craft more convincing phishing lures tied to these tools. We might also see a rise in attacks targeting less-known RMM platforms as the bigger names like ScreenConnect come under heavier scrutiny. Ultimately, the cat-and-mouse game will continue, and organizations will need to prioritize monitoring, employee training, and layered defenses to stay ahead of these evolving threats.
