When WIRED contacted Jamf for comment, the company’s head of information security, Aaron Kiemele, pointed out that Black Hat research does not point to any actual security issues in the software. But “management infrastructure,” Kiemele added in a statement, and has always “lured attackers, so when using a system to manage many different devices, which provides administrative control, it becomes important that the system is configured and managed securely. “He referred Jamf users to this guide to” harden “Jamf environments through configuration and setting changes.
Although the former F-Secure researchers focused on Jamf, it is hardly alone among external control tools as a potential attack surface for intruders, says Jake Williams, a former NSA hacker and chief technology officer at security firm BreachQuest. Beyond Kaseya presents tools such as ManageEngine, inTune, NetSarang, DameWare, TeamViewer, GoToMyPC and other equally juicy goals. They are ubiquitous, are usually not limited in their privileges on a target PC, are often exempt from antivirus scans and overlooked by security administrators, and are able to install programs on a large number of machines by design. “Why are they so nice to exploit?”
In recent years, Williams says he has seen in his security practices that hackers have “repeatedly” exploited remote control tools, including Kaseya, TeamViewer, GoToMyPC and DameWare, in targeted intrusions against their customers. He emphasizes that it is not because all these tools had hackable vulnerabilities themselves, but because hackers used their legitimate functionality after gaining some access to the victim’s network.
In fact, instances of greater exploitation of these tools began earlier, in 2017, when a group of Chinese state hackers attacked the software vendor chain on the NetSarang remote control tool, breaking the Korean company behind that software to hide its own backdoor code in it. The more high-profile SolarWinds hacking campaign, in which Russian spies hid malicious code in the IT surveillance tool Orion to infiltrate no fewer than nine US federal agencies, somehow shows the same threat. (Although Orion is technically a monitoring tool, not management software, it has many of the same features, including the ability to run commands on target systems.) In another clumsy but nervous breakdown, a hacker used the remote access and management tool TeamViewer to get access the systems of a small water treatment plant in Oldsmar, Florida, and attempt – and fail – to dump hazardous amounts of lye into the city’s water supply.
As sophisticated as remote management tools may be, giving them up is not an option for many administrators who rely on them to monitor their networks. In fact, many smaller businesses without well-staffed IT teams often need them to keep control of all their computers, without having more manual supervision. Despite the techniques they will present on Black Hat, Roberts and Hall argue that Jamf is likely to be net positive for security in most networks where it is used, as it allows administrators to standardize software and system configuration and keep them patched. and updated. Instead, they hope to pressure suppliers of security technologies such as endpoint detection systems to monitor the type of use of external management tools they demonstrate.
For many types of use of remote control tools, however, no such automated detection is possible, says BreachQuests Williams. The expected behavior of the tools – reaching many devices on the network, changing configurations, installing applications – is simply too difficult to distinguish from malicious activity. Instead, Williams claims that internal security teams must learn to monitor the use of the tools and be ready to shut them down, as many did when the news began to spread about a vulnerability in Kaseya last week. But he admits that it is a tough solution, given that users of external management tools often can not afford the internal teams. “Other than being on site, ready to react, to limit the blast radius, I don’t think there is much good advice,” Williams said. “It’s a pretty gloomy scenario.”
But network administrators will at least do well to begin by understanding how powerful their external management tools can be in the wrong hands – a fact that those who want to abuse them seem to know better than ever.
More great WIRED stories