Defending Against Rogue IP KVMs: Detection and Mitigation Strategies

IP KVM (Keyboard, Video, Mouse over IP) devices provide remote administrative access to servers and workstations. While intended for legitimate SOC operations and data center management, these tools are increasingly repurposed by threat actors for stealthy persistence and operational security. According to SANS Internet Storm Center, recent reporting from researchers at Eclypsium highlights significant vulnerabilities in these devices, but a secondary and equally pressing concern is the deployment of “rogue” IP KVMs by malicious actors.

Unlike software-based remote access tools (RATs) that can be flagged by an EDR, an IP KVM operates at the hardware level. By connecting to the physical USB and video ports of a machine, the device emulates a local user. This allows a remote attacker to interact with the system BIOS, install OS-level Malware, or perform Lateral Movement without triggering standard software-based detection mechanisms. Because the operating system perceives the input as coming from a physically connected keyboard and mouse, many security logs fail to distinguish between a local administrator and a remote attacker.

Exploitation by North Korean Threat Actors

The use of IP KVMs has been prominently featured in campaigns attributed to North Korean threat actors. In these scenarios, Lazarus Group or related entities facilitate employment fraud by sending laptops to “mules” or facilitators within the United States. The remote workers then connect IP KVMs to these laptops, allowing them to perform their jobs from abroad while appearing to be local. This North Korean remote access fraud KVM scheme ensures that the Phishing or social engineering tactics used to gain employment are not undone by simple geo-IP checks or software monitoring.

Technical Analysis: How to Detect Rogue IP KVMs

Detecting these devices requires a shift from host-based monitoring to network-centric visibility. Because these devices often use standard network stacks to provide the “IP” portion of the KVM, they can be identified through several TTP indicators:

1. MAC Address Profiling: Many IP KVMs use NICs from specific manufacturers, such as Lantronix or Avocent, or utilize Raspberry Pi foundations for DIY models like PiKVM. Organizations should monitor for unexpected OUI (Organizationally Unique Identifier) prefixes on workstation-only VLANs.
2. Traffic Patterns and Port Scanning: IP KVMs typically host web interfaces for remote management (Ports 80/443) or specialized C2 ports. Routine internal scanning monitored by a SIEM can help identify unauthorized services running on the internal network.
3. USB Enumeration Monitoring: Since these devices present themselves as physical keyboards or mice, sudden changes in the hardware IDs or the serial numbers of connected peripherals can be an IoC. Advanced endpoint monitoring can sometimes capture the insertion of new HID (Human Interface Device) descriptors.

IP KVM Security Best Practices

To mitigate the risk of unauthorized hardware, organizations should adopt a Zero Trust approach to physical port security and network access control. Implementing 802.1X for all wired ports is the most effective way to prevent a rogue device from communicating with the broader network. Additionally, legitimate IP KVMs must be isolated within a dedicated management network with restricted access, ensuring they are not reachable from the general internet or untrusted internal segments. Regular physical audits of workstations in sensitive environments remain a necessity to identify unauthorized USB or HDMI dongles that bypass digital defenses.