The business logic of the attack: why RMM is the perfect engine of scale
The MSP provider by definition has privileged access to the infrastructure of dozens, sometimes hundreds of customers. RMM agent - whether Kasey VSA, ConnectWise Automate or Datto RMM - works with SYSTEM rights and is able to execute arbitrary commands, deploy software, change configuration. For the attacker, this is a multiplier: one compromising server gives an lateral movement to all client tenants at the same time, bypassing firewalls, VPN and segmentation.
According to Verizon DBIR 2025, the growth of ransomware incidents in the SMB segment is 18% year-on-year, the median ransom size reached $ 46 000. SMB is the main MSP client base. CrowdStrike Global Threat Report 2025 says 86% of attacks are financially motivated. The MSP supply chain attack is a way to cover dozens of SMB organizations without their own SOC with one stroke.
And here's the thing: RMM agent is a trusted component. EDR sees it as a legitimate software. Network rules allow communication with the server. In SIEM, its activity is baseline. When the agent begins to unfold ransomware, he does so in the name of the trusted process, and the standard rules of correlation are silent. In fact, the compromised RMM is an insider threat implemented through a legitimate tool.
Kill chain Kaseyya VSA: from SQL injection to encryption
Initial Access: the VSA web interface
The attackers used a chain of vulnerabilities in the web interface on-premise servers Kaseya VSA. Main - CVE-2021-30116: Disclosure of the AC data of the agent (Agent_Guid, AgentPassword) and sessionId, CWE-522, CVSS 10.0. Included in the CISA KEV catalog from November 3, 2021, the mandatory deadline for federal agencies is November 17, 2021. Nearby - CVE 2021-30120 (2FA bypass via client-side enforcement, CWE-669, CVSS 9.9) and related.
The chain worked as follows: get the data of the agent and sessionId through CVE-2021-30116, download an arbitrary file to the server through CVE-2021-30118, execute code with the privileges of the web server. CVE 2021-30120 (2FA bypass) was part of the DIVD vulnerability set, but was not a critical link in the th-wild operation of REvil.
In terms of MITRE ATT&CK - Exploit Public-Facting ApplicationT1190, Initial Access) At the same time, the attack falls on Compromise Software Supply Chain (T1195.002, Initial Access): Compromise of the control server made it possible to use a trusted update channel for delivery of malware to MSP end clients. T1195.002 describes the compromise of the software distribution mechanism. In MITRE ATT&CK, the equipment is not limited to a particular platform, but the Atomic Red Team tests are now implemented only for GNU / Linux and containers - there are no ready-made atomic tests for Windows. The Kill line from this article (certutil, vssadmin, MsMpEng side-downloading) - strictly Windows-specific and reproduces real Revil procedures, not Atomic Red Team.
Official Classification CVE-2021-30116 in the NVD - CWE-522 (Insufficiently Protected Credentials) Conceptually, the attack chain also falls on the model CWE-669 (Incorrect Resource Transfer Between Spheres): A trusted update channel of the RMM agent (management entity) was used to transfer malicious payload to client endpoints (client) without verification on the recipient's side. CWE-669, by the way, officially assigned another vulnerability from the chain - CVE 2021-30120 (2FA bypass via client-side enforcement).
The Dutch Vulnerability Disclosure Institute (DIVD) by April 2021 found seven vulnerabilities in Kaseya VSA and launched the responsible disclosure process. At the time of the attack, Kaseya sawed patches, but did not have time to roll out. CISA and FBI issued a joint recommendation on July 4, 2021 – immediately disconnect the on-premise VSA servers.
Delivery through the trusted channel RMM-agent
Having gained control of the VSA server, the attackers used the standard functionality - the mechanism of deployment of software. This Is Software Deployment Tools (T1072, Execution / Lateral Movement): VSA-agent AgentMon.exe on each managed endostit received a command to perform "update" with the Revil DROpper. T1072 MITRE ATT&CK is conceptually platform-agnostic, although the Atomic Red Team tests are only implemented for Windows. Specific procedures in this attack (certutil -decode, PowerShell, DLL side-loading) are also strictly Windows-specific.
For the endoint, everything looked like a routine task. Agent downloaded the file from the VSA server, used certutil -decode for unpacking and launched a payload. At the stage of execution - PowerShell (T1059.001, Execution), Windows-specific technique. Access to the functions of the VSA-server went through compromised administrator accounts - Valid Accounts (T1078, Defense Evasion / Persistence / Privelge Escalation / Initial Access)
Protection and encryption
Before launching the ransomware, the dropper did three things:
1. Disable or Modify Tools (T1685, Defense Evasion): Disable Windows Defender. REvil used DLL side-downing - legitimate MsMpEng.exe(component Defender) was in a non-standard directory near the malicious DLL. The process was launched on behalf of Microsoft’s trusted binary, pulling up the small library. It's beautiful, if you're not a victim.
2. Inhibit System Recovery (T1490, Impact): )
eleting Shadow Copies through vssadmin delete shadows /all /quiet, disconnection of recovery services. Without external backups - there is nowhere to roll back.
3. Data Encrypted for Impact (T1486, Impact): ):File Encryption. According to ESET, after the end of the desktop wallpaper changed to the picture demanding a ransom, in each directory - a note with a randomized file name.
The whole cycle - from receiving "update" by the agent to complete encryption - took minutes. By the time Kaseya recommended disabling the servers, the main damage had already been done.
What to look for in SIEM: detection for RMM compromise
Adjustments to the environment for the implementation of the detection: SIEM with the reception of Windows Event Log (Sysmon) is required: EventID 1 - Process Create, EventID 11 - File Create, EventID 3 - Network Connection). EDR-leuture of process trees. Network monitoring: Zeek, Suricata or NetFlow for traffic analysis between the VSA server and agents. Minimum configuration: Sysmon on all hosts with RMM agent, forwarding in SIEM.
Behavioral indicators on endpoints
The principle is simple: do not look for specific hashes - they change between campaigns. Look for the abnormal behavior of trusted processes.
Certutil as a decoding tool in the context of RMM. RMM agent does not normally call certutil -decode. The appearance of the chain "RMM agent -> cmd.exe -> certutil.exe with key -decode" - an excuse to throw everything and figure it out:
MsMpEng.exe out of the standard path. Launch MsMpEng.exe of any directory, except C:\ProgramData\Microsoft\Windows Defender\ or C:\Program Files\Windows Defender\, - DLL side-loading indicator. Not the specifics of Kaseya - this technique is used by many groups.
Massive removal of shadow copies. Challenge vssadmin delete shadows or wmic shadowcopy delete from the RMM agent process tree. In the regular work, the MSP agent does not touch the VSS. If this is what comes in, it's a critical altrate, no options.
Abnormal volume of file operations. Sysmon EventID (File Create) sharp growth with uncharacteristic extensions combined with a process generated by an RMM agent.
Network Anomalies
Change of heartbeat pattern. The RMM agent supports a periodic connection with the control server. If instead of a regular heartbeat every 30-60 seconds went burst traffic with the download of unusually large files - something is wrong. Zeek is tracked through conn.log: connection with VSA-server, where orig_bytes significantly exceeds the installed baseline.
Exalting compounds on uncharacteristic hosts. After compromise, REvil established communication with the C2 infrastructure. An endpoint with an RMM agent that initiates connections to IP addresses outside the whitelist RMM vendor is a compromise indicator.
Correlation rule: commographic chain through RMM
A bundle of three events in the window 5 minutes on one host:
1. RMM agent generates cmd.exeor powershell.exewith arguments containing -decode, -encor Base64-line
2. Creating an Executive File (PE/DLL) %TEMP%or %ProgramData%Process from paragraph 1
3. Run a new process from a newly created file
Each of these events individually can be legitimate - MSP is sometimes unfolded by software through scripts. Collectively, it is almost certainly compromised through the RMM channel.
Hardening RMM infrastructure: checklist for MSP
The checklist is set by priority. You can transfer the siasadmina or include an IR report as it is.
1. Network insulation of the RMM-server. The control server should not stick directly to the Internet. Publication via reverse proxy with WAF and IP filtering. Incoming - only from known IP ranges (NIST CSF PR.AA-01).
2. MFA to all entry points. Multifactor authentication on the web interface and API-entrophin RMM. In Kaseya 2021 SQL injection bypassed the authentication of the application, but MFA at the level of the reverse proxy (Duo, Azure Conditional Access) creates an additional barrier.
3. Segmentation of client tentanes. Each MSP client is a separate VLAN/VRF. The agent of one client should not have network access to the infrastructure of the other. Restricts the blast radius.
4. Limitation of the Agent’s capabilities. Agent Policy: Prohibition of the implementation of arbitrary scripts without approval workflow. In Kaseyya VSA, ConnectWise Automate and Datto RMM, there are such settings. By default, they are off. Turn it on.
5. Baseline activity RMM-server (NIST CSF DE.AE-01). Install and monitor: the volume of deployments per day, the task opening time (maintenance window), the types of files deployed through the agent. Deviation from baseline - altrate in SOC.
6. Inventory of agents (NIST CSF ID.AM-01). Register: on which hosts is an agent, version, date of the last update. The appearance of an agent on a host where he should not be is an incident.
7. Insulation of backups from RMM. The backup infrastructure should not be available via an RMM agent. Ransomware through RMM gets SYSTEM rights and is able to remove or encrypt local backups. Offsite/offline backups are mandatory.
8. Patch management of the RMM platform itself. Critical updates to the RMM-server - no later than 48 hours after the release. The DIVD found seven vulnerabilities by April 2021. The attack occurred in July. Three months is enough to close the holes. Not closed.
9. Tabletops: script "compiled RMM" (NIST CCF RS.AN-01). Once a year: the control server is compromised, the agents execute malicious commands. Who decides to disaway? How to contact customers without an RMM channel? How long is it to insulate?
10. Communication plan (NIST CSF RC.CO-01). Notification templates for customers, regulators and media. In Kaseya, the procrastination of communication intensified panic.
The pattern continues: DragonForce and attacks through MSP in 2025
The MSP provider by definition has privileged access to the infrastructure of dozens, sometimes hundreds of customers. RMM agent - whether Kasey VSA, ConnectWise Automate or Datto RMM - works with SYSTEM rights and is able to execute arbitrary commands, deploy software, change configuration. For the attacker, this is a multiplier: one compromising server gives an lateral movement to all client tenants at the same time, bypassing firewalls, VPN and segmentation.
According to Verizon DBIR 2025, the growth of ransomware incidents in the SMB segment is 18% year-on-year, the median ransom size reached $ 46 000. SMB is the main MSP client base. CrowdStrike Global Threat Report 2025 says 86% of attacks are financially motivated. The MSP supply chain attack is a way to cover dozens of SMB organizations without their own SOC with one stroke.
And here's the thing: RMM agent is a trusted component. EDR sees it as a legitimate software. Network rules allow communication with the server. In SIEM, its activity is baseline. When the agent begins to unfold ransomware, he does so in the name of the trusted process, and the standard rules of correlation are silent. In fact, the compromised RMM is an insider threat implemented through a legitimate tool.
Kill chain Kaseyya VSA: from SQL injection to encryption
Initial Access: the VSA web interface
The attackers used a chain of vulnerabilities in the web interface on-premise servers Kaseya VSA. Main - CVE-2021-30116: Disclosure of the AC data of the agent (Agent_Guid, AgentPassword) and sessionId, CWE-522, CVSS 10.0. Included in the CISA KEV catalog from November 3, 2021, the mandatory deadline for federal agencies is November 17, 2021. Nearby - CVE 2021-30120 (2FA bypass via client-side enforcement, CWE-669, CVSS 9.9) and related.
The chain worked as follows: get the data of the agent and sessionId through CVE-2021-30116, download an arbitrary file to the server through CVE-2021-30118, execute code with the privileges of the web server. CVE 2021-30120 (2FA bypass) was part of the DIVD vulnerability set, but was not a critical link in the th-wild operation of REvil.
In terms of MITRE ATT&CK - Exploit Public-Facting ApplicationT1190, Initial Access) At the same time, the attack falls on Compromise Software Supply Chain (T1195.002, Initial Access): Compromise of the control server made it possible to use a trusted update channel for delivery of malware to MSP end clients. T1195.002 describes the compromise of the software distribution mechanism. In MITRE ATT&CK, the equipment is not limited to a particular platform, but the Atomic Red Team tests are now implemented only for GNU / Linux and containers - there are no ready-made atomic tests for Windows. The Kill line from this article (certutil, vssadmin, MsMpEng side-downloading) - strictly Windows-specific and reproduces real Revil procedures, not Atomic Red Team.
Official Classification CVE-2021-30116 in the NVD - CWE-522 (Insufficiently Protected Credentials) Conceptually, the attack chain also falls on the model CWE-669 (Incorrect Resource Transfer Between Spheres): A trusted update channel of the RMM agent (management entity) was used to transfer malicious payload to client endpoints (client) without verification on the recipient's side. CWE-669, by the way, officially assigned another vulnerability from the chain - CVE 2021-30120 (2FA bypass via client-side enforcement).
The Dutch Vulnerability Disclosure Institute (DIVD) by April 2021 found seven vulnerabilities in Kaseya VSA and launched the responsible disclosure process. At the time of the attack, Kaseya sawed patches, but did not have time to roll out. CISA and FBI issued a joint recommendation on July 4, 2021 – immediately disconnect the on-premise VSA servers.
Delivery through the trusted channel RMM-agent
Having gained control of the VSA server, the attackers used the standard functionality - the mechanism of deployment of software. This Is Software Deployment Tools (T1072, Execution / Lateral Movement): VSA-agent AgentMon.exe on each managed endostit received a command to perform "update" with the Revil DROpper. T1072 MITRE ATT&CK is conceptually platform-agnostic, although the Atomic Red Team tests are only implemented for Windows. Specific procedures in this attack (certutil -decode, PowerShell, DLL side-loading) are also strictly Windows-specific.
For the endoint, everything looked like a routine task. Agent downloaded the file from the VSA server, used certutil -decode for unpacking and launched a payload. At the stage of execution - PowerShell (T1059.001, Execution), Windows-specific technique. Access to the functions of the VSA-server went through compromised administrator accounts - Valid Accounts (T1078, Defense Evasion / Persistence / Privelge Escalation / Initial Access)
Protection and encryption
Before launching the ransomware, the dropper did three things:
1. Disable or Modify Tools (T1685, Defense Evasion): Disable Windows Defender. REvil used DLL side-downing - legitimate MsMpEng.exe(component Defender) was in a non-standard directory near the malicious DLL. The process was launched on behalf of Microsoft’s trusted binary, pulling up the small library. It's beautiful, if you're not a victim.
2. Inhibit System Recovery (T1490, Impact): )
eleting Shadow Copies through vssadmin delete shadows /all /quiet, disconnection of recovery services. Without external backups - there is nowhere to roll back. 3. Data Encrypted for Impact (T1486, Impact): ):File Encryption. According to ESET, after the end of the desktop wallpaper changed to the picture demanding a ransom, in each directory - a note with a randomized file name.
The whole cycle - from receiving "update" by the agent to complete encryption - took minutes. By the time Kaseya recommended disabling the servers, the main damage had already been done.
What to look for in SIEM: detection for RMM compromise
Adjustments to the environment for the implementation of the detection: SIEM with the reception of Windows Event Log (Sysmon) is required: EventID 1 - Process Create, EventID 11 - File Create, EventID 3 - Network Connection). EDR-leuture of process trees. Network monitoring: Zeek, Suricata or NetFlow for traffic analysis between the VSA server and agents. Minimum configuration: Sysmon on all hosts with RMM agent, forwarding in SIEM.
Behavioral indicators on endpoints
The principle is simple: do not look for specific hashes - they change between campaigns. Look for the abnormal behavior of trusted processes.
Certutil as a decoding tool in the context of RMM. RMM agent does not normally call certutil -decode. The appearance of the chain "RMM agent -> cmd.exe -> certutil.exe with key -decode" - an excuse to throw everything and figure it out:
The rule adapts to a specific RMM product: for ConnectWise Automate ScreenConnect.ClientService.exe and AutomateAgent.exe; for Datto RMM - AEMAgent.exe. Substitute in ParentImage the processes of your stack.
MsMpEng.exe out of the standard path. Launch MsMpEng.exe of any directory, except C:\ProgramData\Microsoft\Windows Defender\ or C:\Program Files\Windows Defender\, - DLL side-loading indicator. Not the specifics of Kaseya - this technique is used by many groups.
Massive removal of shadow copies. Challenge vssadmin delete shadows or wmic shadowcopy delete from the RMM agent process tree. In the regular work, the MSP agent does not touch the VSS. If this is what comes in, it's a critical altrate, no options.
Abnormal volume of file operations. Sysmon EventID (File Create) sharp growth with uncharacteristic extensions combined with a process generated by an RMM agent.
Network Anomalies
Change of heartbeat pattern. The RMM agent supports a periodic connection with the control server. If instead of a regular heartbeat every 30-60 seconds went burst traffic with the download of unusually large files - something is wrong. Zeek is tracked through conn.log: connection with VSA-server, where orig_bytes significantly exceeds the installed baseline.
Exalting compounds on uncharacteristic hosts. After compromise, REvil established communication with the C2 infrastructure. An endpoint with an RMM agent that initiates connections to IP addresses outside the whitelist RMM vendor is a compromise indicator.
Correlation rule: commographic chain through RMM
A bundle of three events in the window 5 minutes on one host:
1. RMM agent generates cmd.exeor powershell.exewith arguments containing -decode, -encor Base64-line
2. Creating an Executive File (PE/DLL) %TEMP%or %ProgramData%Process from paragraph 1
3. Run a new process from a newly created file
Each of these events individually can be legitimate - MSP is sometimes unfolded by software through scripts. Collectively, it is almost certainly compromised through the RMM channel.
Hardening RMM infrastructure: checklist for MSP
The checklist is set by priority. You can transfer the siasadmina or include an IR report as it is.
1. Network insulation of the RMM-server. The control server should not stick directly to the Internet. Publication via reverse proxy with WAF and IP filtering. Incoming - only from known IP ranges (NIST CSF PR.AA-01).
2. MFA to all entry points. Multifactor authentication on the web interface and API-entrophin RMM. In Kaseya 2021 SQL injection bypassed the authentication of the application, but MFA at the level of the reverse proxy (Duo, Azure Conditional Access) creates an additional barrier.
3. Segmentation of client tentanes. Each MSP client is a separate VLAN/VRF. The agent of one client should not have network access to the infrastructure of the other. Restricts the blast radius.
4. Limitation of the Agent’s capabilities. Agent Policy: Prohibition of the implementation of arbitrary scripts without approval workflow. In Kaseyya VSA, ConnectWise Automate and Datto RMM, there are such settings. By default, they are off. Turn it on.
5. Baseline activity RMM-server (NIST CSF DE.AE-01). Install and monitor: the volume of deployments per day, the task opening time (maintenance window), the types of files deployed through the agent. Deviation from baseline - altrate in SOC.
6. Inventory of agents (NIST CSF ID.AM-01). Register: on which hosts is an agent, version, date of the last update. The appearance of an agent on a host where he should not be is an incident.
7. Insulation of backups from RMM. The backup infrastructure should not be available via an RMM agent. Ransomware through RMM gets SYSTEM rights and is able to remove or encrypt local backups. Offsite/offline backups are mandatory.
8. Patch management of the RMM platform itself. Critical updates to the RMM-server - no later than 48 hours after the release. The DIVD found seven vulnerabilities by April 2021. The attack occurred in July. Three months is enough to close the holes. Not closed.
9. Tabletops: script "compiled RMM" (NIST CCF RS.AN-01). Once a year: the control server is compromised, the agents execute malicious commands. Who decides to disaway? How to contact customers without an RMM channel? How long is it to insulate?
10. Communication plan (NIST CSF RC.CO-01). Notification templates for customers, regulators and media. In Kaseya, the procrastination of communication intensified panic.
The pattern continues: DragonForce and attacks through MSP in 2025
