An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | Jan. 25, 2023

NSA, CISA, and MS-ISAC Release Guidance for Securing Remote Monitoring and Management Software

FORT MEADE, Md. — The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released the “Protecting Against Malicious Use of Remote Monitoring and Management Software” Cybersecurity Advisory (CSA) today to help network defenders protect against the malicious use of legitimate remote monitoring and management (RMM) software.

RMM software is commonly used by managed service providers (MSPs) and help desks to provide security and/or technical support. The software is intended to enable network management, endpoint monitoring, and remote interaction with hosts for IT-support functions. Malicious use of RMM software allows cybercriminals and advanced persistent threat (APT) actors to bypass anti-virus/anti-malware defenses.

In October, CISA identified a widespread cyber campaign in which cybercriminal actors leveraged RMM software to gain command and control of devices and accounts. Malicious cyber actors could leverage these same techniques to target National Security Systems (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) networks and use legitimate RMM software on both work and home devices and accounts. Other RMM software solutions could be abused to similar effect.

CISA, NSA, and MS-ISAC encourage network defenders to apply mitigations such as the following:

  • Audit installed remote access tools to identify RMM software.
  • Implement application controls to prevent execution of unauthorized RMM software.
  • Use only authorized RMM software on your network over approved remote access solutions, such as VPN or VDI.
  • Block both inbound and outbound connections on common RMM ports and protocols.

Read the full report here.
 
Visit our full library for more cybersecurity information and technical guidance.


NSA Media Relations
MediaRelations@nsa.gov
443-634-0721