When WIRED reached out to Jamf for comment, the company’s chief information security officer, Aaron Kiemele, pointed out that the Black Hat research doesn’t point to any actual security vulnerabilities in its software. But “management infrastructure,” Kiemele added in a statement, always holds “allure to attackers. So any time you’re using a system to manage many different devices, giving administrative control, it becomes imperative that that system is configured and managed securely.” He referred Jamf users to this guide to “hardening” Jamf environments through configuration and settings changes.
Though the former F-Secure researchers focused on Jamf, it’s hardly alone among remote management tools as a potential attack surface for intruders, says Jake Williams, a former NSA hacker and chief technology officer of security firm BreachQuest. Beyond Kaseya, tools like ManageEngine, inTune, NetSarang, DameWare, TeamViewer, GoToMyPC and others present similarly juicy targets. They’re ubiquitous, usually aren’t limited in their privileges on a target PC, are often exempted from antivirus scans and overlooked by security administrators, and are able to install programs on large numbers of machines by design. “Why are they so nice to exploit?” Williams asks. “You’re getting access to everything they manage. You’re in god mode.”
In recent years, Williams says he’s seen in his security practice that hackers have “repeatedly” exploited remote management tools, including Kaseya, TeamViewer, GoToMyPC, and DameWare in targeted intrusions against his customers. He clarifies that’s not because all those tools had hackable vulnerabilities themselves, but because hackers used their legitimate functionality after gaining some access to the victim’s network.
In fact, instances of a larger-scale exploitation of those tools started earlier, in 2017, when a group of Chinese state hackers carried out a software supply chain attack on the remote management tool NetSarang, breaching the Korean company behind that software to hide their own backdoor code in it. The higher-profile SolarWinds hacking campaign, in which Russian spies hid malicious code in the IT monitoring tool Orion to penetrate no fewer than nine US federal agencies, in some sense demonstrates the same threat. (Though Orion is technically a monitoring tool, not management software, it has many of the same features, including the ability to run commands on target systems.) In another clumsy but unnerving breach, a hacker used the remote access and management tool TeamViewer to access the systems of a small water treatment plant in Oldsmar, Florida, attempting—and failing— to dump dangerous amounts of lye into the city’s water supply.
As fraught as remote management tools may be, however, giving them up isn’t an option for many administrators who depend on them to oversee their networks. In fact, many smaller businesses without well-staffed IT teams often need them to keep control of all of their computers, without the benefit of more manual oversight. Despite the techniques they’ll present at Black Hat, Roberts and Hall argue that Jamf is still likely a net positive for security in most of the networks where it’s used, since it allows administrators to standardize the software and configuration of systems and keep them patched and up-to-date. They instead hope to push the vendors of security technologies like endpoint detection systems to monitor for the sort of remote management tool exploitation they’re demonstrating.
For many kinds of remote-management-tool exploitation, however, no such automated detection is possible, says BreachQuest’s Williams. The tools’ expected behavior—reaching out to many devices on the network, changing configurations, installing programs—is simply too hard to distinguish from malicious activity. Instead, Williams argues that in-house security teams need to learn to monitor for the tools’ exploitation and be ready to shut them down, as many did when news began to spread of a vulnerability in Kaseya last week. But he admits that’s a tough solution, given that users of remote management tools often can’t afford those in-house teams. “Other than being on the spot, ready to react, to limit the blast radius, I don’t think there’s a lot of good advice,” says Williams. “It’s a fairly bleak scenario.”
But network administrators would do well, at least, to start by understanding just how powerful their remote management tools can be in the wrong hands—a fact that those who would abuse them now seem to know better than ever.
More Great WIRED Stories
