Until vendors expose granular telemetry—such as destination fingerprints and unexpected CLI flags—security teams must combine network anomaly detection with strict role-based access policies to spot the first unauthorized console launch before encryption threads begin to crawl. By masquerading as legitimate IT activity, criminal operators bypass endpoint detection solutions that remain tuned for classic malware beacons, not for sanctioned binaries signing in from the cloud. CATO Networks analysts noted the trend while reconstructing network forensics at three victim organizations: a U.K. manufacturer hit by Hunters International, a U.S. construction firm crippled by Medusa, and a non-profit breached by an unnamed affiliate. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Over the past year, however, the same remote consoles have been quietly repurposed by ransomware gangs that crave the built-in trust, elevated privileges, and encrypted tunnels these tools provide. Remote Monitoring and Management (RMM) software has long been the silent partner of help-desk engineers, automating patch cycles and troubleshooting sessions across sprawling enterprises. Packet captures in each case displayed a tell-tale spike of outbound TCP/7070 flows—the AnyDesk rendezvous port—followed by encrypted file transfers to cloud relays. Attackers simply ride the installer’s normal update channels or plant trojanized packages in phishing lures, then fan out laterally and stage data for double-extortion within minutes of first execution. Because the agent validates only the vendor’s hard-coded certificate chain, traditional SSL interception or sandboxing cannot break and inspect the payload without triggering a connection failure. Here, the attacker invokes an existing binary, passes a pre-assigned session code, hides the window, and relinquishes control once the remote desktop channel is active. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The pivot toward RMM-based intrusions accelerated in late-2024 when several campaigns replaced custom loaders with off-the-shelf agents such as AnyDesk, ScreenConnect, PDQ Deploy, and SimpleHelp. In multiple incidents, the ransomware payload itself was triggered weeks after the initial beachhead, allowing exfiltration to proceed unnoticed behind routine administrative chatter. The dual-use dilemma forces defenders to inspect context—such as first-time use on a host or unexpected off-hours sessions—rather than relying on signature-based rules.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 23 Jul 2025 12:00:10 +0000