Atera RMM Critical Risk
For the majority of Managed Service Providers out there, there is very little risk to Atera RMM. The big three RMM solutions – Connectwise, Datto, and Kaseya, are not at risk to this vulnerability. Having said that, it is always helpful to know more about what hackers are up to, so read on.
Check Point said that the campaign, first seen in early November 2021, uses legitimate remote management software to access the target machine. From there, the attackers exploit Microsoft’s digital signature verification method to inject their malicious payload into a signed Windows DLL file to bypass security defenses.
Specifically, the campaign begins by installing the Atera remote monitoring and management software on a target machine. A legitimate remote tool used by IT professionals, Atera’s product offers a free 30-day trial for new users, an option the attackers are likely using to gain initial access. Once the product is installed, the operators have full control of the system to run scripts and upload or download files.
What Should I Do?
To help you protect yourself and your organization against this particular exploit, Check Point advises you to apply Microsoft’s update for strict Authenticode verification.
For MSPs using Datto RMM, they offer a monitor to check for the presence of this agent. The component (Atera Agent Monitor/Uninstaller [WIN]) is available in the ComStore and can be deployed immediately.