{"id":6292,"date":"2025-12-29T12:27:31","date_gmt":"2025-12-29T05:27:31","guid":{"rendered":"https:\/\/tamanh.asia\/?p=6292"},"modified":"2025-12-29T15:51:53","modified_gmt":"2025-12-29T08:51:53","slug":"nguy-co-tu-viec-lam-dung-cong-cu-rmm-chien-thuat-moi-cua-ransomware","status":"publish","type":"post","link":"https:\/\/tamanh.asia\/?p=6292","title":{"rendered":"Nguy C\u01a1 T\u1eeb Vi\u1ec7c L\u1ea1m D\u1ee5ng C\u00f4ng C\u1ee5 RMM: Chi\u1ebfn Thu\u1eadt M\u1edbi C\u1ee7a Ransomware"},"content":{"rendered":"

C\u00e1c nh\u00f3m m\u00e3 \u0111\u1ed9c t\u1ed1ng ti\u1ec1n (ransomware gangs<\/strong>) ng\u00e0y c\u00e0ng l\u1ea1m d\u1ee5ng c\u00e1c c\u00f4ng c\u1ee5 Gi\u00e1m s\u00e1t v\u00e0 Qu\u1ea3n l\u00fd T\u1eeb xa (Remote Monitoring and Management \u2013 RMM<\/strong>), v\u1ed1n \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf cho ho\u1ea1t \u0111\u1ed9ng IT h\u1ee3p ph\u00e1p, \u0111\u1ec3 d\u00e0n d\u1ef1ng c\u00e1c cu\u1ed9c x\u00e2m nh\u1eadp m\u1ea1ng tinh vi, thi\u1ebft l\u1eadp quy\u1ec1n truy c\u1eadp dai d\u1eb3ng (persistence<\/strong>), th\u1ef1c hi\u1ec7n di chuy\u1ec3n ngang (lateral movement<\/strong>), v\u00e0 tr\u00edch xu\u1ea5t d\u1eef li\u1ec7u (data exfiltration<\/strong>).<\/p>

C\u00e1c cu\u1ed9c \u0111i\u1ec1u tra \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n v\u00e0o n\u1eeda cu\u1ed1i n\u0103m 2024<\/strong> v\u00e0 qu\u00fd \u0111\u1ea7u ti\u00ean c\u1ee7a n\u0103m 2025<\/strong> \u0111\u00e3 ti\u1ebft l\u1ed9 m\u00f4 h\u00ecnh t\u1ea5n c\u00f4ng n\u00e0y trong c\u00e1c s\u1ef1 c\u1ed1 \u1ea3nh h\u01b0\u1edfng \u0111\u1ebfn hai t\u1ed5 ch\u1ee9c c\u00f3 tr\u1ee5 s\u1edf t\u1ea1i M\u1ef9<\/strong> v\u00e0 m\u1ed9t th\u1ef1c th\u1ec3 t\u1ea1i Anh<\/strong>. Nh\u1eefng c\u00f4ng c\u1ee5 n\u00e0y, v\u1ed1n \u0111\u01b0\u1ee3c tin c\u1eady trong m\u00f4i tr\u01b0\u1eddng doanh nghi\u1ec7p cho c\u00e1c t\u00e1c v\u1ee5 nh\u01b0 tri\u1ec3n khai ph\u1ea7n m\u1ec1m v\u00e0 gi\u00e1m s\u00e1t h\u1ec7 th\u1ed1ng, c\u00f3 kh\u1ea3 n\u0103ng n\u00e9 tr\u00e1nh c\u00e1c bi\u1ec7n ph\u00e1p ki\u1ec3m so\u00e1t b\u1ea3o m\u1eadt truy\u1ec1n th\u1ed1ng do tr\u1ea1ng th\u00e1i h\u1ee3p ph\u00e1p c\u1ee7a ch\u00fang, l\u00e0m m\u1edd \u0111i ranh gi\u1edbi gi\u1eefa c\u00e1c h\u00e0nh \u0111\u1ed9ng qu\u1ea3n tr\u1ecb \u0111\u01b0\u1ee3c \u1ee7y quy\u1ec1n v\u00e0 h\u00e0nh vi \u0111\u1ed9c h\u1ea1i b\u00ed m\u1eadt.<\/p>

B\u1ed1i C\u1ea3nh v\u00e0 Ph\u00e1t Hi\u1ec7n<\/h2>

C\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u t\u1eeb Cato Networks<\/strong>, trong B\u00e1o c\u00e1o \u0110e d\u1ecda CTRL 2025<\/strong> c\u1ee7a h\u1ecd, \u0111\u00e3 ph\u00e2n t\u00edch nhi\u1ec1u gi\u1ea3i ph\u00e1p RMM<\/strong> th\u01b0\u01a1ng m\u1ea1i v\u00e0 m\u00e3 ngu\u1ed3n m\u1edf. C\u00e1c c\u00f4ng c\u1ee5 c\u1ee5 th\u1ec3 \u0111\u01b0\u1ee3c ghi nh\u1eadn l\u00e0 b\u1ecb khai th\u00e1c bao g\u1ed3m AnyDesk<\/strong>, ScreenConnect<\/strong>, SimpleHelp<\/strong>, v\u00e0 PDQ Deploy<\/strong>. Nh\u1eefng c\u00f4ng c\u1ee5 n\u00e0y \u0111\u00e3 b\u1ecb l\u1ea1m d\u1ee5ng b\u1edfi c\u00e1c nh\u00f3m t\u1ea5n c\u00f4ng \u0111\u00e1ng ch\u00fa \u00fd nh\u01b0 Hunters International<\/strong> v\u00e0 Medusa<\/strong>.<\/p>

Kh\u1ea3 n\u0103ng l\u01b0\u1ee1ng d\u1ee5ng c\u1ee7a c\u00e1c c\u00f4ng c\u1ee5 RMM<\/strong> n\u00e0y ph\u1ea3n \u00e1nh kh\u1ea3 n\u0103ng c\u1ee7a c\u00e1c Trojan Truy c\u1eadp T\u1eeb xa (Remote Access Trojans \u2013 RATs<\/strong>). Ch\u00fang cho ph\u00e9p th\u1ef1c thi l\u1ec7nh t\u1eeb xa, tri\u1ec3n khai script, truy c\u1eadp \u1ea9n danh th\u00f4ng qua c\u00e1c phi\u00ean l\u00e0m vi\u1ec7c b\u00ed m\u1eadt, v\u00e0 thi\u1ebft l\u1eadp c\u00e1c k\u1ebft n\u1ed1i ngang h\u00e0ng (peer-to-peer<\/strong>) \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a. C\u00e1c t\u00ednh n\u0103ng n\u00e0y l\u00e0m ph\u1ee9c t\u1ea1p qu\u00e1 tr\u00ecnh ph\u00e1t hi\u1ec7n v\u00e0 g\u00e1n gh\u00e9p tr\u00e1ch nhi\u1ec7m (attribution<\/strong>) cho k\u1ebb t\u1ea5n c\u00f4ng.<\/p>

Ph\u00e2n T\u00edch Ph\u00e1p Y v\u00e0 C\u00e1c Tr\u01b0\u1eddng H\u1ee3p Th\u1ef1c T\u1ebf<\/h2>

Ph\u00e2n t\u00edch ph\u00e1p y chi ti\u1ebft \u0111\u00e3 kh\u00e1m ph\u00e1 ra c\u00e1c chi\u1ebfn thu\u1eadt t\u00e1i di\u1ec5n trong c\u00e1c chi\u1ebfn d\u1ecbch n\u00e0y.<\/p>

Chi\u1ebfn D\u1ecbch T\u1ea5n C\u00f4ng c\u1ee7a Hunters International (Q3 2024)<\/h3>

Trong m\u1ed9t s\u1ef1 c\u1ed1 v\u00e0o qu\u00fd 3<\/strong> n\u0103m 2024<\/strong>, nh\u00f3m Hunters International<\/strong> \u0111\u00e3 nh\u1eafm m\u1ee5c ti\u00eau v\u00e0o m\u1ed9t c\u00f4ng ty s\u1ea3n xu\u1ea5t t\u1ea1i Anh<\/strong>. Ch\u00fang s\u1eed d\u1ee5ng AnyDesk<\/strong> v\u00e0 ScreenConnect<\/strong> \u0111\u1ec3 duy tr\u00ec quy\u1ec1n truy c\u1eadp dai d\u1eb3ng trong h\u01a1n m\u1ed9t th\u00e1ng. Kho\u1ea3ng th\u1eddi gian n\u00e0y \u0111\u00e3 t\u1ea1o \u0111i\u1ec1u ki\u1ec7n cho kh\u1ea3 n\u0103ng tr\u00edch xu\u1ea5t d\u1eef li\u1ec7u quy m\u00f4 l\u1edbn tr\u01b0\u1edbc khi tri\u1ec3n khai m\u00e3 \u0111\u1ed9c t\u1ed1ng ti\u1ec1n. Vi\u1ec7c nh\u00f3m n\u00e0y g\u1ea7n \u0111\u00e2y \u0111\u00e3 ng\u1eebng ho\u1ea1t \u0111\u1ed9ng v\u00e0 cung c\u1ea5p c\u00e1c c\u00f4ng c\u1ee5 gi\u1ea3i m\u00e3 mi\u1ec5n ph\u00ed nh\u1ea5n m\u1ea1nh t\u00ednh ch\u1ea5t bi\u1ebfn \u0111\u1ed9ng c\u1ee7a c\u00e1c ho\u1ea1t \u0111\u1ed9ng m\u00e3 \u0111\u1ed9c t\u1ed1ng ti\u1ec1n.<\/p>

X\u00e2m Nh\u1eadp c\u1ee7a Medusa (Q4 2024)<\/h3>

T\u01b0\u01a1ng t\u1ef1, v\u00e0o qu\u00fd 4<\/strong> n\u0103m 2024<\/strong>, nh\u00f3m Medusa<\/strong> \u0111\u00e3 x\u00e2m nh\u1eadp v\u00e0o m\u1ed9t c\u00f4ng ty x\u00e2y d\u1ef1ng t\u1ea1i M\u1ef9<\/strong> th\u00f4ng qua m\u1ed9t tr\u00ecnh c\u00e0i \u0111\u1eb7t ScreenConnect<\/strong> \u0111\u1ed9c h\u1ea1i. Sau \u0111\u00f3, ch\u00fang t\u1eadn d\u1ee5ng PDQ Deploy<\/strong> cho m\u1ee5c \u0111\u00edch qu\u00e9t n\u1ed9i b\u1ed9 m\u1ea1ng v\u00e0 di chuy\u1ec3n ngang. S\u1ef1 vi\u1ec7c n\u00e0y \u0111\u1eb7t ra c\u00e2u h\u1ecfi li\u1ec7u c\u00e1c c\u00f4ng c\u1ee5 RMM<\/strong> n\u00e0y \u0111\u00e3 c\u00f3 s\u1eb5n trong m\u00f4i tr\u01b0\u1eddng c\u1ee7a n\u1ea1n nh\u00e2n hay \u0111\u01b0\u1ee3c k\u1ebb t\u1ea5n c\u00f4ng \u0111\u01b0a v\u00e0o h\u1ec7 th\u1ed1ng.<\/p>

T\u1ea5n C\u00f4ng Nh\u00f3m Ransomware Kh\u00f4ng X\u00e1c \u0110\u1ecbnh (Q1 2025)<\/h3>

M\u1ed9t cu\u1ed9c t\u1ea5n c\u00f4ng v\u00e0o qu\u00fd 1<\/strong> n\u0103m 2025<\/strong> nh\u1eafm v\u00e0o m\u1ed9t t\u1ed5 ch\u1ee9c phi l\u1ee3i nhu\u1eadn t\u1ea1i M\u1ef9<\/strong> li\u00ean quan \u0111\u1ebfn m\u1ed9t nh\u00f3m m\u00e3 \u0111\u1ed9c t\u1ed1ng ti\u1ec1n kh\u00f4ng x\u00e1c \u0111\u1ecbnh. Nh\u00f3m n\u00e0y \u0111\u00e3 tri\u1ec3n khai SimpleHelp<\/strong> \u0111\u1ec3 thi\u1ebft l\u1eadp quy\u1ec1n truy c\u1eadp dai d\u1eb3ng ban \u0111\u1ea7u, sau \u0111\u00f3 s\u1eed d\u1ee5ng AnyDesk<\/strong> tr\u00ean c\u00e1c m\u00e1y ch\u1ee7 b\u1ed5 sung \u0111\u1ec3 m\u1edf r\u1ed9ng ki\u1ec3m so\u00e1t m\u1ea1ng.<\/p>

\u0110i\u1ec3m Chung Trong C\u00e1c Chi\u1ebfn D\u1ecbch<\/h3>

Trong t\u1ea5t c\u1ea3 c\u00e1c tr\u01b0\u1eddng h\u1ee3p n\u00e0y, nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 s\u1eed d\u1ee5ng \u0111\u1ed3ng th\u1eddi nhi\u1ec1u c\u00f4ng c\u1ee5 RMM<\/strong> \u0111\u1ec3 t\u0103ng c\u01b0\u1eddng kh\u1ea3 n\u0103ng ph\u1ee5c h\u1ed3i v\u00e0 linh ho\u1ea1t trong c\u00e1c chi\u1ebfn d\u1ecbch c\u1ee7a ch\u00fang. Ch\u00fang khai th\u00e1c c\u00e1c t\u00ednh n\u0103ng nh\u01b0 truy c\u1eadp kh\u00f4ng c\u1ea7n agent, ghim ch\u1ee9ng ch\u1ec9 (certificate pinning<\/strong>), v\u00e0 c\u00e1c \u0111\u1eb7c quy\u1ec1n n\u00e2ng cao c\u1ee7a c\u00e1c c\u00f4ng c\u1ee5 RMM<\/strong>, cho ph\u00e9p ch\u00fang v\u01b0\u1ee3t qua hi\u1ec7u qu\u1ea3 c\u00e1c h\u1ec7 th\u1ed1ng ph\u00e1t hi\u1ec7n v\u00e0 ph\u1ea3n \u1ee9ng \u0111i\u1ec3m cu\u1ed1i (Endpoint Detection and Response \u2013 EDR<\/strong>).<\/p>

K\u1ef9 Thu\u1eadt Ph\u00e1t Hi\u1ec7n v\u00e0 Gi\u1ea3m Thi\u1ec3u<\/h2>

Ph\u00e1t Hi\u1ec7n D\u1ef1a Tr\u00ean Ph\u00e2n T\u00edch M\u1ea1ng<\/h3>

Ph\u00e2n t\u00edch h\u00e0nh vi m\u1ea1ng l\u00e0 m\u1ed9t ph\u01b0\u01a1ng ph\u00e1p hi\u1ec7u qu\u1ea3 \u0111\u1ec3 ph\u00e1t hi\u1ec7n vi\u1ec7c l\u1ea1m d\u1ee5ng c\u00e1c c\u00f4ng c\u1ee5 RMM<\/strong>. V\u00ed d\u1ee5, vi\u1ec7c s\u1eed d\u1ee5ng c\u00e1c c\u00f4ng c\u1ee5 nh\u01b0 Wireshark<\/strong> \u0111\u1ec3 b\u1eaft g\u00f3i tin c\u00e1c phi\u00ean l\u00e0m vi\u1ec7c c\u1ee7a AnyDesk<\/strong> tr\u00ean c\u1ed5ng 7070<\/strong> c\u00f3 th\u1ec3 ti\u1ebft l\u1ed9 c\u00e1c k\u1ebft n\u1ed1i \u0111\u00e1ng ng\u1edd. Ngo\u00e0i ra, vi\u1ec7c ph\u00e1t hi\u1ec7n c\u00e1c \u0111i\u1ec3m b\u1ea5t th\u01b0\u1eddng trong h\u1ec7 th\u1ed1ng Cato XDR<\/strong> \u0111\u00e3 ch\u1ee9ng minh c\u00e1ch c\u00e1c c\u00f4ng c\u1ee5 n\u00e0y t\u1ea1o ra c\u00e1c k\u1ebft n\u1ed1i h\u01b0\u1edbng ra m\u1ea1ng WAN (WAN-bound connections<\/strong>) \u0111\u00e1ng ng\u1edd. Nh\u1eefng ho\u1ea1t \u0111\u1ed9ng n\u00e0y th\u01b0\u1eddng k\u00edch ho\u1ea1t c\u00e1c c\u1ea3nh b\u00e1o t\u1ef1 \u0111\u1ed9ng v\u1ec1 c\u00e1c t\u01b0\u01a1ng t\u00e1c t\u1eeb m\u00e1y ch\u1ee7 \u0111\u1ebfn m\u00e1y ch\u1ee7 b\u1ea5t th\u01b0\u1eddng ho\u1eb7c l\u1ea7n s\u1eed d\u1ee5ng \u0111\u1ea7u ti\u00ean c\u1ee7a m\u1ed9t c\u00f4ng c\u1ee5 nh\u1ea5t \u0111\u1ecbnh trong m\u00f4i tr\u01b0\u1eddng.<\/p>

Minh H\u1ecda Khai Th\u00e1c (Proof-of-Concept)<\/h3>

\u0110\u1ec3 minh h\u1ecda m\u1ee9c \u0111\u1ed9 d\u1ec5 d\u00e0ng b\u1ecb khai th\u00e1c, m\u1ed9t cu\u1ed9c t\u1ea5n c\u00f4ng b\u1eb1ng b\u1eb1ng ch\u1ee9ng kh\u00e1i ni\u1ec7m (proof-of-concept<\/strong>) \u0111\u00e3 \u0111\u01b0\u1ee3c m\u00f4 ph\u1ecfng. K\u1ecbch b\u1ea3n n\u00e0y li\u00ean quan \u0111\u1ebfn m\u1ed9t file LNK<\/strong> \u0111\u01b0\u1ee3c g\u1eedi qua email l\u1eeba \u0111\u1ea3o (phishing<\/strong>), khi \u0111\u01b0\u1ee3c k\u00edch ho\u1ea1t, s\u1ebd kh\u1edfi ch\u1ea1y PowerShell<\/strong> \u0111\u1ec3 k\u00edch ho\u1ea1t m\u1ed9t phi\u00ean AnyDesk<\/strong> \u0111\u00e3 \u0111\u01b0\u1ee3c c\u00e0i \u0111\u1eb7t s\u1eb5n tr\u00ean h\u1ec7 th\u1ed1ng c\u1ee7a n\u1ea1n nh\u00e2n. \u0110i\u1ec1u n\u00e0y cho ph\u00e9p thi\u1ebft l\u1eadp k\u1ebft n\u1ed1i \u0111\u1ebfn endpoint c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng v\u00e0 thi\u1ebft l\u1eadp quy\u1ec1n truy c\u1eadp dai d\u1eb3ng. C\u00e1c c\u01a1 ch\u1ebf ph\u00e1t hi\u1ec7n c\u1ee7a Cato<\/strong> \u0111\u00e3 nhanh ch\u00f3ng g\u1eafn c\u1edd c\u00e1c t\u00edn hi\u1ec7u m\u1ea1ng b\u1ea5t th\u01b0\u1eddng n\u00e0y, t\u1ea1o ra c\u00e1c \u201cXDR stories<\/strong>\u201d \u0111\u1ec3 ph\u1ea3n \u1ee9ng nhanh ch\u00f3ng.<\/p>

Xu H\u01b0\u1edbng R\u1ed9ng H\u01a1n<\/h3>

Xu h\u01b0\u1edbng l\u1ea1m d\u1ee5ng c\u00f4ng c\u1ee5 RMM<\/strong> n\u00e0y kh\u00f4ng ch\u1ec9 gi\u1edbi h\u1ea1n \u1edf c\u00e1c nh\u00f3m m\u00e3 \u0111\u1ed9c t\u1ed1ng ti\u1ec1n m\u00e0 c\u00f2n m\u1edf r\u1ed9ng sang c\u00e1c t\u00e1c nh\u00e2n c\u1ea5p qu\u1ed1c gia, nh\u1eefng ng\u01b0\u1eddi \u0111ang t\u00ecm ki\u1ebfm c\u00e1c gi\u1ea3i ph\u00e1p RAT<\/strong> v\u1edbi chi ph\u00ed th\u1ea5p. Xu h\u01b0\u1edbng n\u00e0y \u0111\u01b0\u1ee3c c\u1ee7ng c\u1ed1 b\u1edfi th\u00f4ng tin t\u00ecnh b\u00e1o \u0111e d\u1ecda t\u1eeb c\u00e1c c\u1ea3nh b\u00e1o #StopRansomware<\/strong> c\u1ee7a CISA<\/strong>.<\/p>

C\u00e1c Bi\u1ec7n Ph\u00e1p Gi\u1ea3m Thi\u1ec3u Hi\u1ec7u Qu\u1ea3<\/h3>

\u0110\u1ec3 ch\u1ed1ng l\u1ea1i m\u1ed1i \u0111e d\u1ecda n\u00e0y, c\u00e1c t\u1ed5 ch\u1ee9c c\u1ea7n t\u0103ng c\u01b0\u1eddng kh\u1ea3 n\u0103ng hi\u1ec3n th\u1ecb m\u1ea1ng v\u00e0 ki\u1ec3m so\u00e1t ho\u1ea1t \u0111\u1ed9ng. C\u00e1c bi\u1ec7n ph\u00e1p gi\u1ea3m thi\u1ec3u bao g\u1ed3m:<\/p>