Beyond Kaseya: Everyday IT Tools Can Offer ‘God Mode’ for Hackers

Across the internet, more than a thousand companies spent the past week digging out from a mass ransomware incident. In the wake of the devastating compromise of Kaseya's popular IT management tool, researchers and security professionals are warning that the debacle isn't a one-off event, but part of a troubling trend. Hackers are increasingly scrutinizing the entire class of tools that administrators use to remotely manage IT systems, seeing in them potential skeleton keys that can give them the run of a victim's network.

From a Chinese state-sponsored supply chain compromise to an unsophisticated attack on a Florida water treatment plant—and many less visible events in between—the security industry has seen a growing drumbeat of breaches that took advantage of so-called remote management tools. And at the Black Hat security conference next month, a pair of British researchers plans to present techniques they've developed as penetration testers for security firm F-Secure, which allowed them to hijack yet another popular tool of the same kind—this one focused on Macs rather than Windows machines—known as Jamf. 

Like Kaseya, Jamf is used by enterprise administrators to set up and control hundreds or thousands of machines across IT networks. Luke Roberts and Calum Hall plan to show off tricks—which, for now, remain technical demonstrations rather than ones they've seen used by real malicious hackers—that would allow them to commandeer the remote management tool to spy on target machines, pull files off of them, spread their control from one machine to others, and ultimately install malware, as ransomware gangs do when they drop their crippling payloads.

Those techniques, the two researchers argue, represent a prime example of a larger problem: The same tools that let administrators easily manage large networks can also give hackers similar superpowers. "The piece of your infrastructure that manages the rest of your infrastructure is the crown jewels. It's the most pivotal. If an attacker has that, it's game over," says Luke Roberts, who recently left F-Secure to join the security team of the financial services company G-Research. "The reason that ransomware actors are going after things like Kaseya is because they offer complete access. They are like the gods of the environments. If they have something over one of these platforms, they get whatever they want to get."

The remote-management hijacking techniques Roberts and Hall plan to show at Black Hat require hackers to get their own initial foothold on a target computer. But once in place, attackers can use them to vastly expand their control over that device and move to others on the network. In one case, the researchers demonstrated that if they simply alter one line in a configuration file on a PC that runs Jamf, they can cause it to connect to their own malicious Jamf server rather than the target organization's legitimate one. Making that change, they point out, can be as simple as impersonating IT staff and tricking an employee into changing that line or opening a maliciously crafted Jamf configuration file sent in a phishing email. By using Jamf as their own command-and-control connection to a target machine they can exploit Jamf to fully surveil the target computer, extract data from it, run commands, or install software. Because their method doesn't require the installation of malware, it can also be far stealthier than the average remote-access Trojan.

With a second technique, the two researchers found they could exploit Jamf by posing as a PC running the software instead of a server. In that intrusion method, they impersonate a target organization's computer running Jamf, then trick the organization's Jamf server to send that computer a collection of user credentials. Those credentials then allow access across the organization's other machines. Typically those credentials are held in a PC's memory, where a Mac's "system integrity protection" safeguard usually prevents hackers from accessing it. But because the hacker is running the Jamf client on their own computer, they can disable SIP, extract the stolen credentials, and use them to hop to other computers on the target organization's network.

When WIRED reached out to Jamf for comment, the company's chief information security officer, Aaron Kiemele, pointed out that the Black Hat research doesn't point to any actual security vulnerabilities in its software. But "management infrastructure," Kiemele added in a statement, always holds "allure to attackers. So any time you’re using a system to manage many different devices, giving administrative control, it becomes imperative that that system is configured and managed securely." He referred Jamf users to this guide to "hardening" Jamf environments through configuration and settings changes.

Though the former F-Secure researchers focused on Jamf, it's hardly alone among remote management tools as a potential attack surface for intruders, says Jake Williams, a former NSA hacker and chief technology officer of security firm BreachQuest. Beyond Kaseya, tools like ManageEngine, inTune, NetSarang, DameWare, TeamViewer, GoToMyPC and others present similarly juicy targets. They're ubiquitous, usually aren't limited in their privileges on a target PC, are often exempted from antivirus scans and overlooked by security administrators, and are able to install programs on large numbers of machines by design. "Why are they so nice to exploit?" Williams asks. "You're getting access to everything they manage. You're in god mode."

In recent years, Williams says he's seen in his security practice that hackers have "repeatedly" exploited remote management tools, including Kaseya, TeamViewer, GoToMyPC, and DameWare in targeted intrusions against his customers. He clarifies that's not because all those tools had hackable vulnerabilities themselves, but because hackers used their legitimate functionality after gaining some access to the victim's network.

In fact, instances of a larger-scale exploitation of those tools started earlier, in 2017, when a group of Chinese state hackers carried out a software supply chain attack on the remote management tool NetSarang, breaching the Korean company behind that software to hide their own backdoor code in it. The higher-profile SolarWinds hacking campaign, in which Russian spies hid malicious code in the IT monitoring tool Orion to penetrate no fewer than nine US federal agencies, in some sense demonstrates the same threat. (Though Orion is technically a monitoring tool, not management software, it has many of the same features, including the ability to run commands on target systems.) In another clumsy but unnerving breach, a hacker used the remote access and management tool TeamViewer to access the systems of a small water treatment plant in Oldsmar, Florida, attempting—and failing— to dump dangerous amounts of lye into the city's water supply.

As fraught as remote management tools may be, however, giving them up isn't an option for many administrators who depend on them to oversee their networks. In fact, many smaller businesses without well-staffed IT teams often need them to keep control of all of their computers, without the benefit of more manual oversight. Despite the techniques they'll present at Black Hat, Roberts and Hall argue that Jamf is still likely a net positive for security in most of the networks where it's used, since it allows administrators to standardize the software and configuration of systems and keep them patched and up-to-date. They instead hope to push the vendors of security technologies like endpoint detection systems to monitor for the sort of remote management tool exploitation they're demonstrating.

For many kinds of remote-management-tool exploitation, however, no such automated detection is possible, says BreachQuest's Williams. The tools' expected behavior—reaching out to many devices on the network, changing configurations, installing programs—is simply too hard to distinguish from malicious activity. Instead, Williams argues that in-house security teams need to learn to monitor for the tools' exploitation and be ready to shut them down, as many did when news began to spread of a vulnerability in Kaseya last week. But he admits that's a tough solution, given that users of remote management tools often can't afford those in-house teams. "Other than being on the spot, ready to react, to limit the blast radius, I don't think there's a lot of good advice," says Williams. "It's a fairly bleak scenario."

But network administrators would do well, at least, to start by understanding just how powerful their remote management tools can be in the wrong hands—a fact that those who would abuse them now seem to know better than ever.