The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and Israel National Cyber Directorate (INCD) released today the Guide to Securing Remote Access Software. This joint guide informs organizations how to detect and defend against malicious actors abusing this software by providing common exploitations and associated tactics, techniques, and procedures (TTPs).
While there are beneficial features and legitimate uses of remote access software, malicious actors often exploit these products to evade detection and establish network connections through cloud-hosted infrastructure. By leveraging legitimate remote access software, malicious cyber actors are able to undertake a type of attack called living off the land (LOTL). This guide is particularly relevant given demonstrated use of these techniques by advanced adversaries, as reflected in the recent joint advisory highlighting People’s Republic of China state-sponsored actors using LOTL techniques, including exploitation of remote capabilities to evade detection.
Informed by an ongoing public-private planning effort within the Joint Cyber Defense Collaborative, this joint guide provides recommendations to information technology (IT), operational technology (OT), and industrial control systems (ICS) professionals and organizations on best practices for securely using remote access software and how to detect and defend against malicious actors abusing remote access products.
“Persistent collaboration with our partners enables us to better help public and private sector partners take steps to measurably reduce their cyber risks,” said Eric Goldstein, Executive Assistant Director for Cybersecurity. “Adversaries are continuously innovating to evade detection and achieve their malicious objectives. Today’s joint guide gives all organizations key insights into how to detect and mitigate exploitation of remote access software by malicious cyber actors. We particularly appreciate the expertise provided by our partners in the Israel National Cyber Directorate for their contributions to this guide. Through our strong collaboration with U.S. and international partners, we will continue to provide timely and actionable guidance to address emergent risks.”
“Remote access may be a useful option for many organizations, but it also could be a threat vector into their systems,” said Eric Chudow, NSA’s System Threats and Vulnerability Analysis Subject Matter Expert. “If not properly secured, it could enable cyber actors to use or even have control over systems and resources, and can be used as part of living off the land techniques.”
“The FBI will do everything it can to prevent malicious cyber actors from exploiting remote access software networks as a gateway to inflict harm,” said Bryan Vorndran, Assistant Director of the FBI’s Cyber Division. “We are committed to working alongside our federal, international, and private sector partners to combat these types of threats. Sharing insights from guides such as these and reporting computer intrusions are key steps for the American public to bolster their network defenses and mitigate future victimization.”
“Many APT and ransomware groups use major remote control tools in various cyber attacks. These groups abuse off-the-shelf tools that make the deployment of malwares easy and effective,” said Tom Alexandrovich, Executive Director of Cyber Defense Division at the INCD. “This best practice is an updated coordinated effort to mitigate these threats. By joining forces, we can build better resilience, improve our best practices and protect the global cyberspace from common threats and tactics.”
All organizations are encouraged to review the joint guide and implement recommended mitigations and best practices. For more on CISA’s work to help organizations, critical infrastructure and businesses mitigate the cybersecurity risk, visit CISA.gov.