When WIRED contacted Jamf for comment, the company’s chief information security officer Aaron Kiemele pointed out that the black hat research did not point out any actual security vulnerabilities in its software.But “management infrastructure,” Kiemele added in a statement, is always “attractive to attackers. Therefore, whenever you use a system to manage many different devices and provide management control, it must be configured securely And manage the system.” “He recommended Jamf users to This guide “enhances” the Jamf environment Through configuration and setting changes.
Although former F-Secure researchers focused on Jamf, it is not the only one with potential in remote management tools Attack surface Jake Williams, former NSA hacker and chief technology officer of security company BreachQuest, said that for intruders. In addition to Kaseya, tools such as ManageEngine, inTune, NetSarang, DameWare, TeamViewer, GoToMyPC also provide similar juicy targets. They are ubiquitous, usually have unrestricted permissions on the target PC, are usually free from antivirus scanning and ignored by security administrators, and can install programs on a large number of machines as designed. “Why are they so easy to use?” Williams asked. “You can access everything they manage. You are in God mode.”
In recent years, Williams said he has seen hackers “repeatedly” use remote management tools, including Kaseya, TeamViewer, GoToMyPC, and DameWare, to target his customers in his security practices. He clarified that this is not because all these tools themselves have crackable vulnerabilities, but because hackers used their legitimate functions after gaining access to the victim’s network.
In fact, the large-scale use of these tools began as early as 2017, when a group of Chinese national hackers A software supply chain attack on NetSarang, a remote management tool, Destroying the Korean company behind the software, hiding their own backdoor code in it.This High-profile SolarWinds hacking activity, In which Russian spies hide malicious code in the IT monitoring tool Orion to infiltrate no less than nine US federal agencies, which in a sense indicates the same threat. (Although Orion is technically a monitoring tool, not management software, it has many of the same features, including the ability to run commands on the target system.) In another clumsy but disturbing vulnerability, hackers use Remote access and management tool TeamViewer Visit the system of a small water treatment plant In Oldsma, Florida, attempts to pour dangerous amounts of lye into the city’s water supply system failed.
However, while remote management tools may be worrisome, for many administrators who rely on them to supervise the network, abandoning them is not an option. In fact, many small businesses without a well-equipped IT team usually require them to maintain control of all computers without the benefit of more manual supervision. Although they will demonstrate these technologies on Black Hat, Roberts and Hall believe that Jamf may still have a positive impact on the security of most networks that use it, because it allows administrators to standardize system software and configuration and keep them patched and Newest. Instead, they want to push security technology vendors such as endpoint detection systems to monitor the use of remote management tools of the kind they are demonstrating.
However, Williams of BreachQuest stated that such automatic detection is impossible for the use of multiple remote management tools. The expected behavior of these tools—touching many devices on the network, changing configurations, installing programs—is simply indistinguishable from malicious activity. Instead, Williams believes that internal security teams need to learn to monitor the use of tools and be prepared to shut them down, just as many people did when Kaseya started spreading news of the vulnerability last week. But he admits that this is a difficult solution, because users of remote management tools often cannot afford those internal teams. “Apart from being at the scene, ready to react, and limiting the radius of the explosion, I don’t think there are many good suggestions,” Williams said. “This is a rather dim scene.”
But network administrators can at least start by understanding how powerful their remote management tools are in the hands of criminals—in fact, those who abuse them now seem to understand this better than ever.
More exciting connection stories