لرن سرا

برچسب: Remote

  • Exploiting Legitimate Remote Access Tools in Ransomware Campaigns

    Exploiting Legitimate Remote Access Tools in Ransomware Campaigns


    Introduction

    Ransomware is one of the most disruptive cyber threats, encrypting critical organizational data and demanding ransom payments for restoration. While early campaigns relied on mass phishing or opportunistic malware distribution, modern ransomware operations have evolved into highly sophisticated, targeted attacks. Today’s adversaries not only infect machines but also move laterally across networks, harvest credentials, neutralize defences, and maintain persistent control—all while remaining stealthy and evading detection.

    Disclaimer: The Remote Access Tools discussed in this blog are legitimate software products designed to support IT administration and remote support. This article highlights how adversaries may misuse them in ransomware campaigns if they are misconfigured, poorly managed, or left unmonitored. It does not suggest that the tools themselves are inherently vulnerable or malicious.

    A key enabler of these attacks is the exploitation of legitimate Remote Access Tools (RATs) such as AnyDesk, UltraViewer, AppAnywhere, RustDesk, CloneDesk, Splashtop, and TightVNC. Originally designed for IT administration and remote support, many of these tools offer free or freely available versions, which attackers often abuse because they are easy to deploy, widely trusted, and frequently whitelisted in enterprise environments. These tools provide:

    • Unattended access: Connect without user interaction
    • File transfer: Move binaries or exfiltrate data
    • Interactive desktop control: Execute administrative tasks remotely
    • Encrypted communications: Evade network monitoring

    Organizations often whitelist Remote Access Tools and trust their digital signatures, which attackers exploit to bypass security controls and persist stealthily. Understanding how Remote Access Tools are abused is critical for building effective defences against modern ransomware threats.

    The Ransomware Kill Chain: A Step-by-Step Breakdown

    The ransomware kill-chain outlines each stage of an attack, from initial access to final impact. When attackers leverage legitimate Remote Access Tools, they gain stealth, persistence, and control, making detection and mitigation more challenging.

    Stage 1: Initial Access – Credential Compromise

    Attackers gain legitimate access using stolen or brute-forced credentials, bypassing defences while appearing as trusted users. Targeting administrator accounts provides maximum control and enables later stages like Remote Access Tool deployment and lateral movement.

     Common Attack Pathways:

    • Brute-force attacks against RDP/SMB endpoints
    • Credential reuse from leaks or past breaches
    • Targeting administrator accounts for maximum privileges
    • Detection Indicators:
    • Windows Event IDs 4625 → 4624 (multiple failed logins immediately followed by success)
    • RDP logon type 10 at unusual hours
    • Logins from unexpected geolocations.

    Stage 2: Remote Tool Abuse – Hijacking vs. Silent Installation

    After gaining access, attackers focus on Remote Access Tool deployment for stealthy persistence. They can either hijack an existing Remote Access Tool to avoid detection or perform a silent installation using signed installers with minimal footprint. Silent installation often leverages known command-line flags, vendor documentation, or reverse-engineering to find deployment parameters.

    Method 1: Hijacking Existing Remote Access Tools

    • Enumerate installed Remote Access Tools via WMI, registry, or PowerShell.
    • Add attacker credentials or modify access configurations.
    • Avoids creating new files or processes, reducing detection risk.

    Method 2: Silent Installation of Remote Access Tools

    • Deploy lightweight, signed installers without user interaction.
    • Silent Install Flags: /S, /VERYSILENT, /quiet, /NORESTART.

     

    Remote Tools Commands Purpose / Effect
    AnyDesk anydesk.exe –install “C:\ProgramData\AnyDesk” –silent –start-with-win Persistent remote access service
    UltraViewer UltraViewer_Setup.exe /VERYSILENT /NORESTART Install quietly with no reboot
    AppAnywhere msiexec /i AppAnywhere.msi /quiet /norestart Enterprise-style silent deployment
    RustDesk rustdesk.exe –service install –password “Str0ngPass123” Enables unattended remote access
    CloneDesk CloneDesk_Setup.exe /S /D=C:\ProgramData\CloneDesk Minimal footprint installation
    Splashtop Splashtop_Streamer.exe /s /i silent=1 precheck=0 confirm=0 Quiet, enterprise deployment
    TightVNC tightvnc-setup.exe /S /NORESTART CLI-driven hidden installation

     

    Stage 3: Persistence & Privilege Consolidation

    Attackers leverage registry run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run), hidden scheduled tasks, and configuration file modifications to maintain persistence. Privilege escalation is achieved using tools like PowerRun or TrustedInstaller, allowing Remote Access Tools to run with SYSTEM privileges and bypass user-level restrictions.

    Mechanisms:

    • Registry Run Keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • Scheduled Tasks: Hidden tasks to auto-restart Remote Access Tools
    • Configuration Files: Modify config.toml (RustDesk) for unattended access
    • Privilege Escalation: Launch Remote Access Tool as SYSTEM using PowerRun or TrustedInstaller
    • Monitoring: New registry keys, scheduled tasks, elevated Remote Access Tool processes

    Stage 4: Antivirus Neutralization & Anti-Forensics

    Using Remote Access Tools, attackers can interactively stop Antivirus services, manipulate group policies, and add Remote Access Tool directories to exclusion lists. Critical logs are cleared, and file shredding tools are used to remove forensic evidence, making post-incident investigation difficult.

    Techniques:

    • Stop Antivirus services: sc stop <service> or net stop <service>
    • Policy manipulation: Add Remote Access Tool directories to exclusions.
    • Log clearing: Adversaries often use the following command lines as part of Anti-Forensics to clear event logs:
      wevtutil cl Security
      wevtutil cl System
      wevtutil cl Application
    • File shredding: Remove forensic artifacts

    Stage 5: Payload Deployment & Execution

    Attackers stop Antivirus services, modify security policies, disable recovery mechanisms, clear event logs, and shred sensitive files to evade detection and hinder forensic investigations. They may also tamper with backup solutions, disable shadow copies, and use Living-off-the-Land Binaries (LOLBins) like rundll32 or PowerShell to blend malicious actions with legitimate processes. These actions ensure minimal visibility for defenders and create a safe environment for ransomware execution.

    Mechanism:

    • Ransomware is delivered through Remote Access Tool channels, often disguised as trusted updates or administrative actions, and executed within existing remote sessions to bypass user suspicion and security monitoring.

    Stage 6: Lateral Expansion

    Lateral movement is facilitated through credential reuse, Remote Access Tool propagation, or exploiting enterprise Remote Access Tool deployments.

    Mechanisms:

    • Credential reuse across endpoints
    • Enterprise Remote Access Tool exploitation for mass deployment

    Indicators:

    • Multiple endpoints reporting new Remote Access Tool connections
    • Unauthorized scheduled tasks or registry modifications across machines

    Stage 7: Impact – Encryption & Lockout

    Ransomware payload execution triggers data encryption, account lockouts, and Remote Access Tool credential changes to block administrative remediation. Campaigns such as LockBit, Black and Basta variants demonstrate this final stage in live attacks.

    Outcome:

    • Encrypt files on target systems
    • Lock accounts or change Remote Access Tool credentials to prevent remediation

    Real-World Campaign Examples

    Below are commonly abused Remote Access Tools leveraged by adversaries in ransomware campaigns for persistence, deployment, and lateral movement.

    Remote Access Tool Associated Ransomware Campaigns
    AnyDesk TargetCompany, D3adCrypt, Makop, Mallox, Phobos, LockBit 2.0, LockBit 3.0, LockBit 2025 Renegade, Beast, Dharma, Proton / Shinra, MedusaLocker
    UltraViewer Beast, CERBER, Dharma (.cezar Family), GlobeImposter 2.0, LockBit 3.0, Makop, Phobos, SpiderPrey, TargetCompany
    AppAnywhere Makop, Ryuk, D3adCrypt, Dharma
    RustDesk Mimic, LockXXX, Dyamond, D3adCrypt, Makop
    Splashtop Makop, BlueSky, RansomHub, Proxima
    TightVNC Cerber 4.0 / 5.0

    Threat Actor TTP Mapping (MITRE ATT&CK)

    Understanding the tactics, techniques, and procedures (TTPs) used by adversaries is crucial to defending against Remote Access Tool-driven ransomware campaigns. By mapping these activities to the MITRE ATT&CK framework, security teams can visualize how attackers gain access, deploy tools, maintain persistence, escalate privileges, and eventually deliver impactful payloads. The table below highlights the key stages of attack, the techniques leveraged, and the commonly abused remote access tools aligned to each step.

     

    Stages Technique MITRE ATT&CK Sub-Technique ID Observations
    Initial Access Brute Force T1110.001 Targeting RDP/SMB endpoints to gain initial access
    Tool Deployment Ingress Tool Transfer T1105 Remote access utilities transferred for execution
    Execution Remote Services T1021.001 Remote sessions used to execute payloads
    Persistence Registry Run Keys T1547.001 Registry keys created/modified for tool persistence
    Privilege Escalation Abuse Elevation Control Mechanism T1548.002 Elevation of privileges observed to run tools with SYSTEM rights
    Defense Evasion Impair Defenses T1562.001 Security services disabled, logs cleared
    Lateral Movement Remote Services T1021.001 Remote services abused to move across endpoints
    Impact Data Encrypted for Impact T1486 Tools leveraged to deploy ransomware and encrypt data

    Emerging Trends & Future Threats

    As ransomware operators evolve, new tactics are emerging that expand beyond traditional on-premise exploitation. These trends highlight how attackers are combining automation, cloud abuse, and RaaS ecosystems to maximize the scale and stealth of their operations.

     

    • AI-driven Remote Access Tool deployment: Automated decision-making for payloads
    • Cloud Remote Access Tool abuse: Exploiting cloud-based remote access portals
    • RaaS integration: Remote Access Tools embedded in ransomware-as-a-service offerings for enterprise campaigns
    • Multi-stage attacks: Initial Remote Access Tool compromise followed by secondary payloads (data exfiltration, cryptojacking, lateral ransomware)

    How Quick Heal / Seqrite Protect Against These Activities.

     Ransomware actors may try to weaponize trusted tools, but Quick Heal and Seqrite are built with multiple layers of defence to stop them in their tracks. By combining real-time monitoring, self-protection, and advanced behavioural detection, these solutions ensure that attackers can’t easily disable security or slip past unnoticed.

    • Virus Protection: Actively detects and neutralizes trojanized installers or hidden payloads before they can execute.
    • Antivirus Self Protection: Prevents attackers from forcefully terminating or uninstalling security services.
    • Behaviour-Based Detection: Monitors for abnormal activities linked to ransomware, such as mass file changes or suspicious process launches.
    • Ransomware Protection: Blocks unauthorized encryption attempts in real time, cutting off the attack before data is locked.
    • Application Control: Restricts the use of unauthorized remote tools, ensuring only trusted applications are allowed to run.

    Security Best Practices & Recommendations

    Defending against ransomware isn’t just about having the right tools — it’s also about using them wisely and building strong day-to-day habits. Here are some practical steps every organization can take to stay ahead of attackers:

    • Restrict Remote Access Tool Usage: Only keep the remote tools you really need and remove the rest. The fewer entry points, the safer your systems are.
    • Enforce Multi-Factor Authentication (MFA): Even if attackers steal a password, MFA makes it much harder for them to log in.
    • Limit Administrative Rights: Don’t hand out admin privileges unless absolutely necessary. Less privilege means less damage if an account is compromised.
    • Audit & Monitor Logs Continuously: Keep a close watch on your logs — unusual logins, silent installs, or strange setup commands can be early warning signs.
    • Regular Updates & Patching: Stay on top of updates for both your operating systems and security tools so attackers can’t exploit old flaws.
    • User Awareness Training: People are the first line of defence. Training staff to spot phishing emails or suspicious remote support activity can stop attacks before they even start.

    Conclusion:

    Legitimate IT tools can easily become hidden attack vectors when mismanaged, and Remote Access Tool abuse is now a critical enabler of next-generation ransomware. To counter this risk, enterprises need a layered approach that combines governance, monitoring, and rapid response.

    Quick Heal and Seqrite play a central role in this defence strategy, providing strong Antivirus protection, behavioural detection, and Anti-Ransomware protection. When paired with strict governance and incident response, organizations can stay ahead of attackers.

    Key measures include:

    • Remote Access Tool governance and whitelisting
    • Multi-layered Antivirus protections powered by Quick Heal / Seqrite
    • Behavioural detection and outbound filtering
    • Rapid incident response for containment and recovery

    By adopting this multi-layered defence strategy, organizations can proactively detect, contain, and mitigate Remote Access Tool–based ransomware campaigns—turning trusted tools from potential threats into controlled, manageable assets.

    Author: Matin Tadvi

    Co-Author: Umar Khan



    Source link

  • Try RBI – Remote Browser Isolation! (For Free!)

    Try RBI – Remote Browser Isolation! (For Free!)


    TLDR: Want your team to browse the web safely without risking company devices or networks? Try free Remote Browser Isolation at browserling.com/browse. It runs right in your browser. No installs, no downloads.

    What’s Remote Browser Isolation (RBI)?

    Think of RBI as a “browser in the cloud”. Instead of running websites directly on your laptop or office PC, RBI loads them on a secure server somewhere else. You just see a clean, safe video stream of the website. Any risky code or malware stays far away from your company systems.

    Why Should Managers Care?

    One bad click from an employee can cost thousands in lost time, ransomware, or data leaks. RBI reduces that risk to almost zero. With RBI, your staff can open links, check supplier sites, or even handle suspicious web apps without bringing danger onto the corporate network.

    Will RBI Slow Down My Employees?

    Not really. Modern RBI is built to be fast. Websites load almost instantly, and employees barely notice they’re browsing through a secure remote session. For management, this means stronger security without hurting productivity.

    Will Employees Push Back Against It?

    Unlikely. Since RBI looks and feels like a normal browser, most employees won’t even notice the difference. For managers, that’s a win: stronger security without resistance or complaints about “new software”.

    Can RBI Help with Compliance and Regulations?

    Yes. Many industries (finance, healthcare, government) require strict data protection. RBI helps by keeping risky code and malware away from local systems. This reduces compliance headaches and shows auditors that you’re serious about security.

    How Does RBI Compare to Firewalls and Antivirus?

    Firewalls and antivirus tools are like locks on the door. RBI is like moving the door itself into a safe building across the street. Even if malware tries to sneak in, it never reaches your office network. Managers can think of RBI as another strong layer in the security stack.

    Is It Safe for Regular Users?

    Yes. Users don’t need to install anything complicated. RBI runs in the browser they already use. If a sketchy site tries to drop malware, it gets stuck in the isolated environment. Employees just see the site like normal, but nothing dangerous touches their device.

    Can RBI Help with Phishing Emails?

    Definitely. Your team can click on links from suspicious emails inside RBI. If the site is a phishing trap or hides malicious scripts, it can’t escape the isolated session. The real endpoint stays clean.

    What About IT and Security Teams?

    RBI is great for IT departments. Security teams can safely open suspicious URLs, test untrusted web apps, or check malware samples without spinning up a separate VM every time. It saves time and lowers the chance of accidents.

    Do We Need Special Hardware or Software?

    Nope. Just go to browserling.com/browse in your normal browser. It uses modern web tech (HTML5, JavaScript, WebSockets) to stream the remote session. No downloads, no installs, no admin rights needed.

    Can Employees Use Different Browsers?

    Yes. RBI services let you switch between Chrome, Firefox, Edge, Opera, and even older versions. This is useful for testing apps across multiple browsers without risking the actual machine.

    Is It Free?

    There’s a free version you can try right now with time limits. Paid plans are available for longer sessions, advanced controls, and enterprise features like policy enforcement and logging.

    Is RBI Expensive to Roll Out?

    Not at all. There are free trials and affordable enterprise plans. Because RBI runs from the employees’ existing browsers, there’s no big setup cost, no new servers, and almost no need for extra staff training. Managers can start small, then scale up if the company needs more seats or features.

    What Is Browserling?

    Browserling is a pioneer in online RBI technology. It lets individuals and companies run browsers safely in the cloud. Enterprises use it for:

    • Securing employee browsing
    • Testing apps and websites
    • Opening suspicious files and URLs
    • Protecting against phishing and malware

    Who Uses Browserling?

    Everyone from small businesses to Fortune 500 companies. IT managers, government agencies, financial firms, schools, and healthcare providers use Browserling’s RBI solution to keep employees safe online. RBI is especially popular in industries where compliance and data security really matter.

    Stay safe and happy browsing!



    Source link

  • Important Information Before Applying For A Remote Employment


    Millions of articles extolling the advantages of remote work. It can be found online, but what about the less glamorous aspects of working from home? While obtaining remote employment has its benefits, there are a few things you may want to put into a statement before submitting your application if this is your first-time job search and applying for a remote position.

    Being alone when working remotely

    The days, weeks, and months might quickly start to seem lonely, although working remotely from home may seem like an introvert’s dream. Depending on the demands of your remote employees, you can go days without speaking to anyone, and when you do, it’s frequently over video chat or messaging software. By allowing their employees to socialise online or in person whenever possible, good remote employers will attempt to create a community among their staff.

    It requires more effort to communicate

    It’s simple to approach a coworker across the room or drop by their office in an office setting to discuss a project. It takes work to communicate as a remote team and includes job search. It’s far simpler for ideas to get lost in translation when you can’t share them in person and groups can span multiple time zones. Indeed, platforms and Slack make remote discussions more manageable. Setting your online status is as important as remembering to send a follow-up email or participate in a group chat when efficiently engaging with a remote team.

    The Work of Your Remote Employer May Cross Many Time Zones

    Working in a remote team requires becoming acclimated to communicating with individuals. Even if it’s simple to do this online, you still need to account for everyone’s time zone and national holidays. It may be necessary to compromise on your work schedule or schedule meetings at odd hours while working remotely with a large international team. It might not be for you to work remotely as part of a global team across time zones if you prefer a set 9 to 5 and demand constant access to all of your coworkers at RemoteHub. Using world clock apps is a simple approach to monitoring time in several time zones.

    You might not receive payment in your home currency

    Employers get to choose from among the people on the planet, which is one benefit of using a remote workforce. You might have to get used to receiving your pay in a different currency if you’re one of those remote workers. Every employer has a different pay structure. Some online firms will deposit money into your bank account immediately, while others may use a third-party payment system.

    A Quality Remote Setup Can Be Expensive

    You don’t fully understand how profitable it is to have office supplies like printers, stationery, ergonomic chairs, and standing desks until you leave an office setting. Most small companies expect you to have access to the tools you need to execute your job, while others will provide you with a budget to set up a remote home office. In addition to small items like pencils and paper, collect a desk, an ergonomic chair, a computer, a second monitor, a printer, headphones, a camera, and a quick internet connection.



    Source link

  • Apache Tomcat Remote Code Execution Vulnerability


    Apache Tomcat is a popular, open-source web server and servlet container maintained by the Apache Software Foundation. It provides a reliable and scalable environment for executing Java Servlets and serving web pages built using Java Server Pages (JSP). Frequently deployed in both development and production environments, Tomcat plays a crucial role in delivering dynamic Java-based web applications across various enterprise use cases.

    Recently, a critical security vulnerability identified as CVE-2025-24813 was discovered in Apache Tomcat. This vulnerability exploits a flaw in the handling of partial file uploads and session file persistence, potentially allowing attackers to achieve remote code execution (RCE) under certain conditions. The issue arises from how Tomcat’s default servlet manages write operations combined with deserialization logic for persisted session files.

    CVE-2025-24813

    Initially published in early March with a CVSS score of 5.5, the severity of CVE-2025-24813 was later reassessed and upgraded to 9.8 (High). Recognizing the potential impact of this flaw, the Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalogue, underscoring the urgency for affected organizations to patch their systems.

    CVE-2025-24813 is a critical vulnerability in Apache Tomcat that can lead to remote code execution (RCE) when specific server configurations are in place. The issue arises from how Tomcat handles partial PUT requests in conjunction with file-based session persistence.

    This issue becomes exploitable when the default servlet is explicitly configured with ‘readonly’ parameter is set to false — a setting that enables write operations such as HTTP PUT. By default, Tomcat sets ‘readonly’ to true, which restricts write access and helps mitigate risk. This parameter is defined in the web.xml configuration file, typically located in the conf/ directory of the Tomcat installation.

    When partial PUT support is also enabled (enabled by default), an attacker can exploit this behaviour to upload a crafted serialized payload, targeting a session file. If Tomcat is configured to persist session data to disk, the uploaded file may later be automatically deserialized by the server, resulting in attacker-controlled code execution.

    The vulnerability affects the following versions of Apache Tomcat:

    • 11.0.0‑M1 through 11.0.2
    • 10.1.0‑M1 through 10.1.34
    • 9.0.0‑M1 through 9.0.98

    Exploitation Prerequisites for CVE-2025-24813

    To exploit CVE-2025-24813, several server-side conditions must be in place. These prerequisites enable an attacker to craft a malicious PUT request that results in the deserialization of attacker-controlled data, potentially leading to remote code execution (RCE).

    The following conditions must be met:

    • The default servlet’s readonly attribute is set to false, permitting write access via HTTP PUT requests
    • Partial PUT functionality is enabled — i.e., Tomcat accepts the Content-Range header (enabled by default)
    • The application is configured to use Tomcat’s file-based session persistence mechanism

    Exploitation Flow

    The exploitation of CVE-2025-24813 involves a sequence of carefully crafted steps that take advantage of Tomcat’s handling of partial file uploads and session deserialization. The following outlines a typical attack chain under vulnerable conditions:

    Environment Setup: The target server must have ‘readonly’ parameter set to false for the default servlet, partial PUT support enabled, and file-based session persistence configured.

    Payload Generation: The attacker generates a malicious serialized object — typically using a tool like ysoserial — embedding a command that will execute upon deserialization.

    Payload Upload: The crafted payload is uploaded to the server via an HTTP PUT request with a Content-Range header. This simulates a partial upload and results in the creation of a session file on disk.

    Triggering Deserialization: A follow-up request is made to the application with the JSESSIONID set to the uploaded session file’s name. This causes Tomcat to deserialize the file, assuming it to be a legitimate session object.

    Code Execution: If a suitable deserialization gadget exists on the classpath, the payload is executed, leading to remote code execution under the privileges of the Tomcat process.

    Mitigation

    The recommended and most effective mitigation for CVE-2025-24813 is to upgrade Apache Tomcat to a version where the vulnerability has been addressed. This flaw is fully patched in the following Tomcat releases:

    These versions include enhancements to the handling of temporary files created via partial PUT requests, ensuring such files are not mistakenly deserialized as session objects — thereby preventing remote code execution.

    For environments where immediate upgrades are not possible, the following temporary mitigations can help reduce risk:

    • Keep the default servlet’s readonly parameter set to true, which prevents write operations via PUT requests. This is the default and recommended setting.
    • Disable support for partial PUT requests, especially if not used by the application. This can be achieved at the connector level or via upstream web server rules (e.g., Nginx or Apache HTTPD).
    • Avoid using file-based session persistence, particularly when writable paths overlap with session storage locations.
    • Review and sanitize the server classpath to remove unnecessary libraries such as commons-collections, which may introduce exploitable deserialization gadgets.

        Seqrite Endpoint Protection

    All Seqrite Customers are protected from this vulnerability by following signatures:

    • HTTP/CVE-2025-24813!VS.49414

    Authors:

    Vinay Kumar

    Vineet Sarote



    Source link