Developed by experts, Jamf can be used to spy, steal files and install malware.
More than a thousand companies and organizations around the world have spent the last week investigating incidents caused by an attack by ransomware operators REvil on MSP provider Kaseya. Experts warn that this may not be a one-off event, but part of an alarming trend. Hackers are increasingly studying the entire class of tools that administrators use to remotely manage IT systems, seeing them as potential “master keys” that can give access to the victim’s networks.
At next month’s Black Hat security conference, British researchers Luke Roberts and Calum Hall plan to present techniques to take control of the popular Jamf tool for macOS computers.
As with Kaseya, Jamf is used by enterprise administrators to configure and manage hundreds and thousands of computers on IT networks. Developed by experts, a remote control tool can be used to spy, steal files, gain access to other devices, and install malware.
The same tools that allow administrators to easily manage large networks can also give hackers similar “superpowers,” the researchers said. Roberts and Hall’s methods require self-fixing on the required computer. If successful, attackers can significantly expand their control over the device and move to other systems on the network. In one case, the researchers simply changed one line in a configuration file on the PC running Jamf and forced it to connect to their malicious server rather than the organization’s legitimate server. Making this change, they point out, can be as simple as impersonating an IT staff and tricking an employee into changing that line, or opening a maliciously crafted Jamf configuration file sent in a phishing email.
Using the second method, the two researchers were able to disguise themselves as a personal computer running the Jamf software, as if it were actually a server. The attacker masquerades as an organization’s computer running Jamf and then tricks the server into obtaining the user’s credentials. The credentials, in turn, provide access through other company devices.
While the researchers focused on Jamf, it is far from the only remote control tool used by attackers as a potential attack surface, says former NSA hacker Jake Williams. Apart from Kaseya, tools like ManageEngine, inTune, NetSarang, DameWare, TeamViewer, GoToMyPC, and others are equally attractive targets. They are ubiquitous, usually not limited in their privileges on the target PC, often exempt from anti-virus scanning and overlooked by system administrators, and can also install programs on a large number of devices.
In recent years, hackers have repeatedly used remote control tools, including Kaseya, TeamViewer , GoToMyPC, and DameWare, for targeted attacks. This is not because all the tools themselves have exploitable vulnerabilities, but because hackers used their legitimate functions after gaining access to the victim’s network.
Catch up on more stories here
Follow us on Facebook here