Executive Summary
Between January and March 2026, cybercriminals exploited legitimate remote access tools such as LogMeIn and ScreenConnect to gain unauthorized access to victim devices. These attacks, detailed in HP's Threat Insights Report, involved phishing emails that tricked users into installing these tools, allowing attackers to control systems without triggering security alerts. The abuse of trusted software enabled threat actors to blend malicious activities with normal IT operations, complicating detection and response efforts.
This incident underscores a growing trend where attackers leverage legitimate remote monitoring and management (RMM) tools to establish persistent access and deploy malware. The increasing sophistication of such tactics highlights the need for organizations to enhance monitoring of software installations, enforce strict privilege controls, and update defenses to detect and prevent misuse of trusted applications.
Why This Matters Now
The exploitation of legitimate remote access tools by cybercriminals is on the rise, posing significant risks to organizations. Immediate action is required to monitor and control the use of such tools to prevent unauthorized access and potential data breaches.
Attack Path Analysis
An adversary gains initial access by exploiting a misconfigured remote access tool, escalates privileges by leveraging the tool's administrative capabilities, moves laterally using the tool to access other systems, establishes command and control through the tool's persistent connection, exfiltrates data via the tool's file transfer features, and impacts the organization by deploying ransomware through the tool.
Kill Chain Progression
Initial Compromise
Description
The adversary exploits a misconfigured remote access tool to gain initial access to the target system.
Related CVEs
CVE-2026-1731
CVSS 9.9An unauthenticated OS command injection vulnerability in BeyondTrust Remote Support and Privileged Remote Access allows remote code execution.
Affected Products:
BeyondTrust Remote Support – <= 25.3.1
BeyondTrust Privileged Remote Access – <= 24.3.4
Exploit Status:
exploited in the wildCVE-2025-27487
CVSS 8A heap-based buffer overflow in Microsoft Remote Desktop Client allows remote code execution when connecting to a malicious RDP server.
Affected Products:
Microsoft Remote Desktop Client – All supported versions
Exploit Status:
proof of conceptCVE-2023-31067
CVSS 9.8Insecure file and folder permissions in TSplus Remote Access allow unauthorized users to gain full control over specific directories.
Affected Products:
TSplus Remote Access – <= 16.0.2.14
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Remote Access Tools
Remote Desktop Software
Remote Services
Remote Desktop Protocol
Valid Accounts
Remote Service Session Hijacking
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – User Identification and Authentication
Control ID: 8.1.1
NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information
Control ID: 500.15
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Critical exposure to remote access tool abuse through legitimate RMM platforms, requiring enhanced east-west traffic monitoring and zero trust segmentation controls.
Health Care / Life Sciences
High risk from RMM exploitation targeting patient data systems, demanding HIPAA-compliant encrypted traffic monitoring and egress security policy enforcement.
Financial Services
Severe threat from dual-use RMM tools enabling lateral movement in banking networks, necessitating PCI-compliant anomaly detection and microsegmentation strategies.
Government Administration
Elevated vulnerability to state-sponsored RMM abuse campaigns requiring NIST 800-53 compliant threat detection and secure hybrid connectivity implementations.
Sources
- The dual-use dilemma: Rethinking detection for remote access tool abusehttps://redcanary.com/blog/security-operations/rmm-detection/Verified
- Active Exploitation of BeyondTrust WebSocket RCEhttps://hivepro.com/threat-advisory/cve-2026-1731-active-exploitation-of-beyondtrust-websocket-rce/Verified
- BeyondTrust RCE flaw lets hackers run code without logging inhttps://www.techradar.com/pro/security/beyondtrust-rce-flaw-lets-hackers-run-code-without-logging-inVerified
- CVE-2025-27487: Remote Desktop Client RCE Vulnerabilityhttps://www.sentinelone.com/vulnerability-database/cve-2025-27487/Verified
- CVE-2023-31067 Impact, Exploitability, and Mitigation Stepshttps://www.wiz.io/vulnerability-database/cve/cve-2023-31067Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the adversary's ability to exploit misconfigured remote access tools, thereby reducing the potential for lateral movement and data exfiltration.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The adversary's ability to exploit misconfigured remote access tools would likely be constrained, reducing the risk of unauthorized initial access.
Control: Zero Trust Segmentation
Mitigation: The adversary's ability to escalate privileges would likely be constrained, reducing the risk of unauthorized administrative access.
Control: East-West Traffic Security
Mitigation: The adversary's ability to move laterally within the network would likely be constrained, reducing the risk of widespread system compromise.
Control: Multicloud Visibility & Control
Mitigation: The adversary's ability to establish and maintain command and control channels would likely be constrained, reducing the risk of persistent unauthorized access.
Control: Egress Security & Policy Enforcement
Mitigation: The adversary's ability to exfiltrate sensitive data would likely be constrained, reducing the risk of data loss.
The adversary's ability to deploy ransomware would likely be constrained, reducing the risk of widespread operational disruption.
Impact at a Glance
Affected Business Functions
- Remote IT Support
- System Administration
- Network Management
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive corporate data and administrative credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict remote access tool communications to authorized systems only.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic from remote access tools.
- • Utilize Threat Detection & Anomaly Response to identify and respond to unusual remote access tool activities.
- • Apply Inline IPS (Suricata) to detect and prevent exploitation attempts targeting remote access tools.
- • Ensure Multicloud Visibility & Control to maintain oversight of remote access tool usage across cloud environments.
