As CISA, the NSA, and MS-ISAC warned in a January 2023 joint advisory, attackers part of many ransomware operations are tricking victims into installing portable remote desktop solutions to bypass software controls and take over their systems without requiring admin privileges. In attacks observed by cybersecurity companies Varonis and Synacktiv, Qilin and Hunters International ransomware affiliates installed Kickidler, an employee monitoring tool that can capture keystrokes, take screenshots, and create videos of the screen. While these attacks targeted enterprise administrators, whose accounts would typically provide the threat actors with privileged credentials after compromise, Varonis believes they may have maintained access to the victims' systems for days and even weeks to collect credentials needed to access off-site cloud backups without being detected. Ransomware operations are using legitimate Kickidler employee monitoring software for reconnaissance, tracking their victims' activity, and harvesting credentials after breaching their networks. In both cases, after resuming malicious activity on the breached networks, the ransomware operators deployed payloads that targeted the victims' VMware ESXi infrastructure, encrypting VMDK virtual hard disk drives and causing widespread disruption. While employee monitoring software isn't the go-to tool for ransomware gangs, they've abused legitimate remote monitoring and management (RMM) software for years. To defend against potential security breaches, network defenders are advised to audit installed remote access tools and identify authorized RMM software. Recently, attackers have been seen targeting vulnerable SimpleHelp RMM clients to create administrator accounts, install backdoors, and potentially set the stage for Akira ransomware attacks. It's also recommended to use application controls to prevent the execution of unauthorized RMM software and to enforce the use of only authorized remote desktop tools, along with approved remote access solutions such as VPN or VDI. The deployment script used by Hunters International leveraged VMware PowerCLI and WinSCP Automation to enable the SSH service, deploy the ransomware, and execute it on ESXi servers, Synacktiv said. The attacks started with the threat actors taking out Google Ads displayed when people searched for RVTools, a free Windows utility for managing VMware vSphere deployments.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 08 May 2025 16:05:19 +0000