When WIRED contacted Jamf for comment, Chief Information Security Officer Aaron Kiemele stressed that Black Hat’s research did not point to real security vulnerabilities in its software. But “management infrastructure,” Kiemele added in a statement, always attracts “attackers. So every time you use a system to manage many different devices, providing administrative control, it becomes necessary to configure and manage that system securely.” Jamfa this guide to “curing” the Jamf environment through configuration and setting changes.
Although former F-Secure researchers have focused on Jamfa, it can hardly be among the remote control tools as a potential attacking surface for intruders, says Jake Williams, a former NSA hacker and chief technology officer of security firm BreachQuest. Aside from Kaseya, tools like ManageEngine, inTune, NetSarang, DameWare, TeamViewer, GoToMyPC and others represent similarly juicy goals. They are ubiquitous, usually not limited in their privileges on the target computer, are often exempt from antivirus scans and overlooked by security administrators, and can design programs on a large number of machines per design. “Why is it so nice to use them?” Pita Williams. “You get access to everything they control. You’re in God’s way.”
In recent years, Williams says he has seen in his security practice that hackers “repeatedly” used remote control tools, including Kaseya, TeamViewer, GoToMyPC, and DameWare, in targeted intrusions against their customers. He explains that this is not because all these tools themselves had hackable vulnerabilities, but because the hackers used their legitimate functionality after gaining access to the victim’s network.
In fact, cases of wider use of these tools began earlier, in 2017, when a group of Chinese state hackers carried out an attack on the software supply chain on the NetSarang remote control tool, violating the Korean company behind the software to hide its own backdoor code. The higher profile SolarWinds hacking campaign, in which Russian spies hid malicious code in the Orion IT surveillance tool to infiltrate at least nine U.S. federal agencies, in a sense shows the same threat. (Although Orion is a technical monitoring tool, not management software, it has many of the same features, including the ability to run commands on target systems.) In another awkward but nervous breach, the hacker used TeamViewer’s remote access and management tool to access to small water treatment plant systems in Oldsmar, Florida, trying – and failing – to throw dangerous amounts of lye into the city’s water supply.
As much as remote management tools are burdened, giving them up is not an option for many administrators who depend on them to monitor their networks. In fact, many smaller businesses without well-employed IT teams often need to maintain control of all of their computers, without the benefit of manual oversight. Despite the techniques they will present at Black Hat, Roberts and Hall claim that Jamf is still likely to be positive for security in most networks where it is used, as it allows administrators to standardize system software and configuration and keep them patched and up-to-date. Instead, they hope to force security technology vendors such as endpoint detection systems to monitor the type of remote control tools they demonstrate.
For many types of remote control tool exploitation, however, such automated detection is not possible, says Williams of BreachQuest. The expected behavior of the tool – reaching many devices on the network, changing configurations, installing programs – is simply too difficult to distinguish from malicious activities. Instead, Williams argues that internal security teams must learn to monitor tool exploitation and be prepared to shut them down, as many did when news began to spread vulnerabilities in Kasey last week. But he acknowledges that this is a difficult solution given that users of remote control tools often cannot afford these own teams. “Apart from being on the spot, ready to react and limit the radius of the explosion, I don’t think there’s a lot of good advice,” Williams says. “It’s a pretty dark scenario.”
But network administrators would at least fare well if they realized how powerful their remote management tools can be in the wrong hands – a fact that makes those who abuse them now know better than ever.
More great WIRE stories