December 2, 2021

robertlpham

Just another WordPress site

Beyond Kaseya: Everyday IT Tools Can Offer ‘God Mode’ for Hackers

When WIRED reached out to Jamf for comment, the company’s chief information security officer, Aaron Kiemele, pointed out that the Black Hat research doesn’t point to any actual security vulnerabilities in its software. But “management infrastructure,” Kiemele added in a statement, always holds “allure to attackers. So any time you’re using a system to manage many different devices, giving administrative control, it becomes imperative that that system is configured and managed securely.” He referred Jamf users to this guide to “hardening” Jamf environments through configuration and settings changes.

Though the former F-Secure researchers focused on Jamf, it’s hardly alone among remote management tools as a potential attack surface for intruders, says Jake Williams, a former NSA hacker and chief technology officer of security firm BreachQuest. Beyond Kaseya, tools like ManageEngine, inTune, NetSarang, DameWare, TeamViewer, GoToMyPC and others present similarly juicy targets. They’re ubiquitous, usually aren’t limited in their privileges on a target PC, are often exempted from antivirus scans and overlooked by security administrators, and are able to install programs on large numbers of machines by design. “Why are they so nice to exploit?” Williams asks. “You’re getting access to everything they manage. You’re in god mode.”

In recent years, Williams says he’s seen in his security practice that hackers have “repeatedly” exploited remote management tools, including Kaseya, TeamViewer, GoToMyPC, and DameWare in targeted intrusions against his customers. He clarifies that’s not because all those tools had hackable vulnerabilities themselves, but because hackers used their legitimate functionality after gaining some access to the victim’s network.

explanation
extra resources
find
find more
find more info
find more information
find out here
find out here now
find out more
find out this here
for beginners
from this source
full article
full report
funny postget more
get more info
get more information
get redirected here
get the facts
go
go here
go now
go right here
go to the website
go to these guys
go to this site
go to this web-site
go to this website
go to website
go!!
going here
good
great post to read
great site
had me going
have a peek at these guys
have a peek at this site
have a peek at this web-site
have a peek at this website
have a peek here
he has a good point
he said
helpful hints
helpful resources
helpful site
her comment is here
her explanation
her latest blog
her response
here
here are the findings
here.
his comment is here
his explanation
his response
home
home page
homepage
hop over to here
hop over to these guys
hop over to this site
hop over to this web-site
hop over to this website
how much is yours worth?
how you can help
i loved this
i thought about this
i was reading this
image source
in the know
index
informative post
inquiry
internet
investigate this sitekiller deal
knowing it
learn here
learn more
learn more here
learn the facts here now

In fact, instances of a larger-scale exploitation of those tools started earlier, in 2017, when a group of Chinese state hackers carried out a software supply chain attack on the remote management tool NetSarang, breaching the Korean company behind that software to hide their own backdoor code in it. The higher-profile SolarWinds hacking campaign, in which Russian spies hid malicious code in the IT monitoring tool Orion to penetrate no fewer than nine US federal agencies, in some sense demonstrates the same threat. (Though Orion is technically a monitoring tool, not management software, it has many of the same features, including the ability to run commands on target systems.) In another clumsy but unnerving breach, a hacker used the remote access and management tool TeamViewer to access the systems of a small water treatment plant in Oldsmar, Florida, attempting—and failing— to dump dangerous amounts of lye into the city’s water supply.

As fraught as remote management tools may be, however, giving them up isn’t an option for many administrators who depend on them to oversee their networks. In fact, many smaller businesses without well-staffed IT teams often need them to keep control of all of their computers, without the benefit of more manual oversight. Despite the techniques they’ll present at Black Hat, Roberts and Hall argue that Jamf is still likely a net positive for security in most of the networks where it’s used, since it allows administrators to standardize the software and configuration of systems and keep them patched and up-to-date. They instead hope to push the vendors of security technologies like endpoint detection systems to monitor for the sort of remote management tool exploitation they’re demonstrating.

For many kinds of remote-management-tool exploitation, however, no such automated detection is possible, says BreachQuest’s Williams. The tools’ expected behavior—reaching out to many devices on the network, changing configurations, installing programs—is simply too hard to distinguish from malicious activity. Instead, Williams argues that in-house security teams need to learn to monitor for the tools’ exploitation and be ready to shut them down, as many did when news began to spread of a vulnerability in Kaseya last week. But he admits that’s a tough solution, given that users of remote management tools often can’t afford those in-house teams. “Other than being on the spot, ready to react, to limit the blast radius, I don’t think there’s a lot of good advice,” says Williams. “It’s a fairly bleak scenario.”

But network administrators would do well, at least, to start by understanding just how powerful their remote management tools can be in the wrong hands—a fact that those who would abuse them now seem to know better than ever.


More Great WIRED Stories