What happened
Cybersecurity researchers report a significant increase in threat actors abusing legitimate Remote Monitoring and Management (RMM) software instead of deploying traditional malware. Last year, malicious use of RMM tools rose by 277% year-over-year, with attackers leveraging these enterprise-trusted platforms to blend in with normal network activity and evade detection.
Who is affected
Organizations across all sectors saw increased RMM abuses, with the healthcare and technology industries experiencing particularly notable upticks. Commonly abused RMM products include ConnectWise ScreenConnect, AnyDesk, Atera, NetSupport, PDQ Connect, and SplashTop.
Why CISOs should care
This trend signals a shift in adversary tactics: instead of relying on standalone malware, attackers are weaponizing tools already present in enterprise environments. Because RMM software is widely trusted and frequently used for legitimate IT administration, malicious activity can be difficult to distinguish from normal operations, increasing dwell time and the potential for credential theft, lateral movement, and broader compromise.
3 practical actions
- Inventory and restrict RMM tools: Continuously audit all RMM deployments and ensure only authorized, secure versions are permitted to run with strict access controls.
- Strengthen monitoring and alerting: Implement robust telemetry and alerting for anomalous RMM usage patterns, including unusual login sources, elevated privileges, or off-hours activity.
- Harden access controls: Enforce multifactor authentication (MFA), least-privilege access, and network segmentation around RMM systems to limit opportunities for misuse.