Cybercrime,
Fraud Management & Cybercrime
Surge in Attacks on RMM Tools in 2025: 51 Solutions Identified as Targets
Remote Monitoring and Management (RMM) tools, originally adopted for widespread remote work during the COVID pandemic, are increasingly becoming instruments for cybercriminals. Once attackers gain unauthorized remote access through platforms like SuperOps and TeamViewer, they can disable critical systems, erase backups, and deploy ransomware across numerous endpoints.
See Also: Top 10 Technical Predictions for 2025
These tools, utilized by IT professionals and managed service providers, are designed to centrally monitor and manage clients’ IT systems. Attackers can exploit them using authenticated credentials to circumvent security alerts, much like using a personal RFID access card to gain entry into secured locations.
Motivation Behind Targeting RMM Tools
RMM tools are particularly appealing targets for a number of reasons. Their reliance on established workflows often leads to their traffic being perceived as legitimate, thereby bypassing anomaly detection systems and creating unmonitored areas within network supervision. Moreover, RMM platforms usually have elevated permissions, offering a pathway for adversaries to escalate privileges, move laterally within networks, and deliver malicious payloads.
Compromise of a managed service provider’s (MSP) RMM infrastructure allows adversaries to pivot into multiple client environments, significantly increasing the impact of a single intrusion. Many attackers frequently exploit valid credentials or repurpose legitimate RMM tools, blending their malicious activities with standard administrative operations, complicating detection efforts.
Evidence of Exploitation Patterns
The Acronis Cyberthreats Report for H1 2025 highlights RMM attacks as a major threat vector, with over 51 distinct RMM solutions identified as potential targets. Certain tools, including Splashtop, ConnectWise, ScreenConnect, and Atera, have been particularly scrutinized for real-world exploitations.
Cybercriminals employ various methods to gain access to RMM capabilities, including exploiting vulnerabilities in RMM software, compromising user credentials through tactics like phishing or brute-force attacks, tricking employees into installing malicious software, and leveraging the tools’ inherent features for deploying malicious payloads while evading detection.
Case Study: Hunters International Hack
In a notable incident in 2024, a UK-based manufacturing firm fell victim to the Hunters International cybercriminal group. By utilizing trusted RMM tools like ScreenConnect, the attackers maintained covert access to the company’s network for over a month. They employed a combination of phishing tactics and legitimate software manipulation to bypass traditional security defenses, ultimately leading to a ransomware deployment that caused extensive disruption.
Sunil Varkey, a seasoned Chief Information Security Officer, emphasized the effectiveness of such attacks, noting that RMM tools, seen as trusted services, are often overlooked in terms of security scrutiny. He advises organizations to implement stringent access controls and regularly audit RMM deployments to mitigate unauthorized access risks.
Gerald Beuchelt, Chief Information Security Officer at Acronis, echoed these sentiments, urging security leaders to focus budgetary resources on reinforcing existing security tools rather than chasing new technologies. He recommended a comprehensive audit of RMM deployments and layering security controls tailored to the unique challenges posed by remote management tools.
Conclusion: Strategies for Risk Mitigation
To counteract these evolving threats, organizations must prioritize security education for employees, enforce strict access protocols, and maintain robust system defenses, including regular updates and endpoint monitoring. Additionally, integrating RMM considerations into incident response strategies and employing behavioral analyses over traditional signature-based detection will enhance an organization’s readiness against potential incursions.
