Has anyone encountered instances of unknown remote access in a corporate setting? I'm using the term "hacker" loosely here, as I don't believe it was an internal issue. Our company operates in the tech sector, so it's unlikely that any mistakes by users led to this. We faced this issue twice: once in January and again on December 3rd. In the first case, a user in Canada saw their mouse moving on its own and had to shut down their laptop to regain control. After investigation, the security team found nothing suspicious on the device. The second incident involved a user in the U.S. who noticed their cursor appeared frozen while random menus opened. They recorded a video showing this behavior and reported it after a shutdown. Both laptops are Dell Precision 5560s running Windows 11, have restricted admin rights, and I'm struggling to identify how this could happen. I'm curious if anyone else has experienced similar issues or has suggestions on what to look into next.
4 Answers
You might want to look deeper into your security setup. Even with admin rights restricted, there are exploit vectors that could allow remote access. Keeping your systems updated is vital. Have the forensic scans picked up anything unusual so far?
Have you checked if either laptop had wireless devices like a USB transceiver for a mouse or keyboard? Sometimes those can interfere and cause odd behavior. If that’s not the case, it might be related to the laptops’ vPro capabilities, which allow for remote access at a lower level. Just something to consider!
The user involved doesn’t use any wireless peripherals, so I doubt this is interference from them. I suspect something relating to Dell's systems is at play since the rest of the company uses Lenovo and hasn’t experienced anything like this.
You shouldn't rule out mistakes made by users, even in a tech environment. Accidental access can happen if someone granted remote help. Plus, if they’re in public places with Bluetooth on, someone could pair a device and control it. It might be worth reevaluating those assumptions.
You raise a good point about user error. I trust my team, but I know situations like this can happen. I’ll definitely consider a more thorough investigation and look into our remote access tools.
It sounds like an in-depth incident response would be beneficial here! Given the behavior, consider whether you have any remote management tools that could inadvertently allow access. Disconnecting potential external remote support tools could uncover clues about what's happening.
Thanks! I’ll certainly pass this info to the security team. We are using CyberArk and Intune for security, but it’s important to evaluate everything, especially with these strange incidents occurring!
We haven’t found anything suspicious in the scans, but it’s clear that whatever security measures are in place aren't catching this issue. I’ll keep this in mind for the next investigation.