Remote Control Software Execution Remote Control Software Execution-mask

ScreenConnect Joins AnyDesk to Highlight Threats to Remote Access Tools

Just a few weeks after the AnyDesk breach, another remote access tool reported a critical vulnerability that highlights the risk of these useful tools. 

On Feb. 19, ConnectWise released a security fix for ScreenConnect 23.9.7 which disclosed a critical vulnerability. Appropriately scoring a max CVSS 10, the vulnerability allows attackers to bypass authentication and gain administrative access to a ScreenConnect instance.  

 The ScreenConnect vulnerability comes just weeks after the AnyDesk Feb. 2 breach disclosure which subsequently forced a password reset for all users after it found 18,000 user credentials for sale on the dark web for $15,000.  

Both ScreenConnect and AnyDesk are commercial remote access tools that provide huge value to IT teams and service providers to troubleshoot issues, perform maintenance, or install patches. Unfortunately, attackers also find huge value in these remote access tools, which serve the same purpose as a remote access trojan.

In the months leading up to this attack, Cymulate and other security research labs have observed an uptick in threat activity targeting and abusing these tools and services. It’s a trend that is likely to continue through 2024.  

This threat is not limited to commercial remote access tools that include TeamViewer, RustDesk, Real VNC Viewer, Iperius, and AeroAdmin. The threat also extends to external remote services. 

Similar to remote access software, external remote services are common in operating systems and browsers with services like Windows Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), X11 Forwarding over SSH, and XRDP (an open-source implementation of Microsoft’s RDP that allows you to graphically control a remote machine with a Linux operating system from a Windows machine using the native Windows RDP client). 

Remote Access Best Practices 

We recently published a piece about security best practices for remote access in Security Magazine. These best practices include application whitelisting, blocking control servers at the perimeter, and a few more that you can read in this digital article.

One of those best practices is to test and validate controls, monitoring capabilities, and configurations. Security teams should perform regular testing of controls and assessments of the attack surface to validate proper configuration and performance of prevention, logging, and analysis. Automate this testing with security validation solutions such as breach and attack simulation, automated red teaming, and attack surface management.

Validate with Automated Offensive Testing

To continuously assess your attack surface and validate controls against threats related to remote access tools and services, Cymulate includes simulation templates as well as individual execution, files, and Sigma rules that cover:

  • Remote control software execution for tools such as TeamViewer, RustDesk, Real VNC Viewer, Iperius, and AeroAdmin, and AnyDesk 
  • Lateral movement via RDP, VNC 
  • RDP, SSH Hijacking  
  • Exfiltration over SSH 
  • Defense evasion by deleting or disabling logs

To highlight a few examples, let’s drill into attack simulations for remote control software execution and lateral movement via RDP.

Remote access template with Anydesk

The Cymulate platform includes default templates for tools such as ScreenConnect, AnyDesk, TeamViewer, RustDesk, Real VNC Viewer, and more. In this attack simulation available in Cymulate Breach and Attack Simulation Advanced Scenarios, Cymulate simulates remote control software execution and attempts a connection to the remote software server along with the execution 

Testing for ScreenConnect Files on Windows

Cymulate simulations are based on libraries of executions, files, and Sigma rules. In the case of remote access simulations like ScreenConnect, Cymulate research provides the production-safe executions to test controls – whether that be blocking at the network gateway, logging events in SIEM, or network traffic analysis.

RDP to Domain Control

To simulate the misuse of external remote services like RDP or VNC, the Cymulate Platform includes assessment templates and resources that simulate discovery, lateral movement, defense evasion, exfiltration, and more. This is an example of a BAS Advanced Scenarios resource to simulate the discovery of the domain controller via RDP.

To see how your organization can benefit from Cymulate’s advanced offensive security testing and how you can assess the attack surface for threats related to remote access software and services, schedule a Cymulate demo with one of our security experts.  

Schedule a Demo