Acronis found that 63.1% of managed endpoints run multiple remote access or RMM tools, expanding attack surfaces and making IT environments harder to secure. Attackers increasingly abuse legitimate or open-source tools such as MeshAgent, TeamViewer, ConnectWise ScreenConnect, and RDP to blend in with normal administration and spread across organizations. #MeshAgent #TeamViewer #ConnectWiseScreenConnect #RDP #AnyDesk #AmmyyAdmin
Keypoints
- Across nearly 1.8 million Acronis-managed endpoints, 63.1% had at least two remote access or RMM tools installed.
- Over 22% of endpoints had three or more remote access tools, creating a larger attack surface and more administrative complexity.
- Attackers increasingly deploy their own RMM tools directly onto victim machines to hide within legitimate network traffic.
- The most abused tools in the data included MeshAgent, open-source VNC, Ammyy Admin, and built-in RDP.
- ConnectWise ScreenConnect and AnyDesk were heavily present in legitimate environments, but they can also be abused during incidents.
- RDP abuse often appeared in later-stage intrusions, where attackers used it for lateral movement or hands-on-keyboard control.
- The article stresses minimizing concurrent RMM installations and distinguishing expected admin tools from attacker-deployed tools.
MITRE Techniques
- [T1219 ] Remote Access Software – Attackers used legitimate or open-source RMM tools on victim systems to maintain access and blend in with normal administration (‘attackers now routinely deploy legitimate or open-source RMM tools directly onto victim machines’)
- [T1021.001 ] Remote Desktop Protocol – Attackers abused built-in RDP for post-compromise remote administration and lateral movement (‘RDP tops with almost 26%’ and ‘used RDP to move through the network or maintain hands-on-keyboard control’)
- [T1021.005 ] VNC – The article notes abuse of VNC/UltraVNC as a common remote access method used by both IT and attackers (‘VNC / UltraVNC’ and ‘open source VNC in the top 5’)
- [T1105 ] Ingress Tool Transfer – RMM tools were deployed onto victim machines to facilitate the intrusion and provide remote control (‘they install commercially available RMM tools on victim machines’)
- [T1106 ] Native API – RMM tools provided attackers with built-in operational capabilities like command execution and file transfer (‘The tool gave them the same capabilities an MSP technician would have: remote desktop, command execution, file transfer’)
Indicators of Compromise
- [File names / tool names ] attacker-used or installed remote access tools – MeshAgent, Ammyy Admin
- [File names / tool names ] legitimate or abused remote administration products – ConnectWise ScreenConnect, TeamViewer
- [File names / tool names ] remote access protocols and utilities observed in incidents or inventory – RDP, VNC / UltraVNC
- [File names / tool names ] additional open-source or self-hosted tools mentioned in inventory and abuse context – RustDesk, MeshCentral, TacticalRMM
- [Malicious family / RAT name ] leaked-source-code-based remote access malware lineage – FlawedAmmyy
- [Organization / threat actor references ] groups associated with tool abuse – TA505/FIN11, Andariel, Iranian-linked groups