The authoring organizations encourage network defenders to:
• Implement best practices to block phishing emails.
• Audit remote access tools on your network to identify currently used and/or authorized RMM software.
• Review logs for execution of RMM software to detect abnormal use of programs running as a portable executable.
• Use security software to detect instances of RMM software only being loaded in memory.
• Implement application controls to manage and control execution of software, including allow listing RMM programs.
• Require authorized RMM solutions only be used from within your network over approved remote access solutions, such as virtual private networks (VPNs)
• Block both inbound and outbound connections on common RMM ports and protocols at the network perimeter.
• Implement a user training program and phishing exercises to raise awareness among users. Reinforce the appropriate user response to phishing and spear phishing emails.
https://thehackernews.com/2023/01/us-federal-agencies-fall-victim-to.html
https://www.cisa.gov/uscert/ncas/alerts/aa23-025a
