TeamViewer: Your Essential IT Tool Is Attackers' Favorite Backdoor

Your IT team uses TeamViewer to fix computers remotely. Your support staff uses AnyDesk to help customers. Your MSP uses Splashtop to manage your infrastructure. These tools are convenient, fast, and essential for modern business operations. They’re also loved by attackers and routinely used to break into your network, maintain persistent access, and exfiltrate data—often without triggering any alarms.

What Are RMM Tools?

Remote Monitoring and Management (RMM) tools allow companies to access computers and servers remotely. They provide full control over systems: viewing screens, running commands, transferring files, and managing configurations.

Common RMM tools include:

• TeamViewer - Widely used for IT support and remote work
• AnyDesk - Fast remote desktop access
• Splashtop - Popular with MSPs and IT departments
• ConnectWise Control (ScreenConnect) - MSP-focused remote support
• LogMeIn / GoTo - Remote access and support platforms

These tools are legitimate and necessary. The problem is that attackers know this—and exploit it.

Why Attackers Love RMM Tools

They blend in. Security teams expect to see TeamViewer or AnyDesk running. Attackers use this assumption to operate undetected. A malicious remote session looks identical to a legitimate support session.

They provide full system access. Once connected, attackers have the same privileges as the compromised user account—often administrative access. They can install malware, steal data, or move laterally across the network.

They bypass network security. RMM tools establish outbound connections that pass through firewalls without triggering alerts. EDR and antivirus solutions typically whitelist them as trusted applications.

They’re persistent. Attackers configure RMM tools to start automatically and reconnect if disconnected, ensuring ongoing access even after initial compromise is detected.

They’re available everywhere. Most RMM tools offer portable versions that don’t require installation or administrative rights. Attackers drop them onto compromised systems and connect immediately.

Real-World Attacks: What We’ve Seen

Eviant has responded to multiple incidents where attackers exploited RMM tools as part of their operations.

TeamViewer credential attacks. In one case, attackers conducted password spraying and brute force attacks against an organization’s TeamViewer accounts. Once they gained access, they used compromised credentials to connect remotely and deploy malware to systemrs.

Initial access via stolen credentials. Attackers accessed compromised TeamViewer credentials from dark web markets. These credentials—leaked from previous breaches or stolen through phishing—provided immediate remote access to business systems without exploiting any technical vulnerabilities.

Post-exploitation persistence. After gaining initial access through other means (phishing, VPN exploit), attackers installed AnyDesk on compromised machines to maintain persistent access. Even when the original entry point was closed, they retained control through the RMM tool.

Common Attack Patterns

Credential stuffing and spraying. Attackers use leaked credentials or common passwords to access RMM accounts. Many organizations don’t enforce MFA on RMM tools, making this trivial.

Phishing for RMM installation. Fake IT support emails trick employees into installing “remote support tools” that are actually attacker-controlled RMM software.

Exploiting unpatched RMM software. RMM tools have vulnerabilities. ConnectWise ScreenConnect, for example, has been exploited multiple times when organisations failed to patch known security flaws.

Abusing legitimate MSP access. Attackers compromise MSP accounts and use their existing RMM access to attack client networks. The activity looks legitimate because it comes from the trusted MSP.

Dropping portable versions. Attackers use initial malware infections to download portable RMM tools, establishing a backup access method before their primary malware is detected and removed.

How to Protect Your Organization

Require multi-factor authentication. Every RMM account must have MFA enabled. This mitigates credential stuffing and stolen password attacks.

Monitor RMM usage. Log all remote access sessions, including who connected, when, from what IP address, and to which systems. Alert on unusual patterns like after-hours access or connections from unexpected locations.

Restrict installation of RMM software. Use application allowlisting to prevent unauthorized RMM tools from running. Only permit approved, centrally managed RMM solutions.

Segment RMM access. RMM connections should be limited to specific networks or VLANs. Don’t allow RMM tools to access all systems across your entire infrastructure. Limit usage if it absolutely needed.

Require approval for remote sessions. Implement workflows where remote access requires approval from the system owner or IT manager before connections are established.

Review RMM account permissions. Regularly audit who has RMM access and remove accounts for former employees or contractors. Ensure accounts follow least-privilege principles.

Patch RMM software immediately. Treat RMM tools as critical infrastructure. When vendors release security patches, deploy them urgently across your environment.

Monitor for unusual installations. Detect when new RMM software appears on systems. Alert when portable versions of TeamViewer, AnyDesk, or similar tools are installed or executed.

When to Investigate

Watch for these indicators of RMM abuse:

• RMM connections during non-business hours
• New RMM software installations without IT approval
• RMM connections from unusual geographic locations
• Multiple failed login attempts on RMM accounts
• RMM tools connecting to servers that don’t normally require remote support
• Portable RMM executables in temporary directories or user downloads folders
• Firewall logs showing outbound connections to RMM services from unexpected systems

RMM tools are essential for business operations, but they’re also high-value targets for attackers. Organizations that treat them as trusted, low-risk applications create security gaps that sophisticated attackers routinely exploit.

Implementing proper controls—MFA, monitoring, access restrictions—ensures that RMM tools remain useful for your team while preventing them from becoming the attacker’s preferred entry point.

If your organization hasn’t reviewed RMM security recently, contact Eviant to assess your remote access controls and implement practical defenses that reduce risk without disrupting IT operations.