Action1 RMM exploited for a ransomware attack on MSPs and IT Departments

Security researchers are warning that cybercriminals are increasingly using the Action1 remote access software for persistence on compromised networks and to execute commands, scripts, and binaries.

This article will explore how the Action1 RMM was exploited for a Ransomware Attack by hackers, and how Action1 Corporation is working to prevent the misuse of its platform.

Action1 RMM used in a Ransomware Attack

Action1 is a remote monitoring and management (RMM) product that is commonly used by managed service providers (MSPs) and enterprises to remotely manage endpoints on a network. The software allows admins to automate patch management and the deploying of security updates, install software remotely, catalog hosts, troubleshoot problems on endpoints, and get real-time reports.

While these types of tools are extremely helpful for admins, they are also valuable to threat actors who can use them to deploy malware or gain persistence to networks.

Ransomware attack through persistence on networks

Kostas, a member of the volunteer analyst group The DFIR Report, noticed the Action1 RMM platform being abused by multiple threat actors for reconnaissance activity and to execute code with system privileges on network hosts.

The researcher says that after installing the Action1 agent, the adversaries create a policy to automate the execution of binaries (e.g. Process Monitor, PowerShell, Command Prompt) required in the attack.

When investigators tried to learn more about incidents how the Action1 RMM platform is being abused, it was communicated that their is a pattern of ransomware attacks from multiple threat actors. The product has been leveraged in the initial stages of at least three recent ransomware attacks using distinct malware strains.

AI-based filtering to detect abnormal user behavior

While Action1 RMM is used legitimately across the world by thousands of administrators, the vendor is aware that the product is being abused by threat actors in the post-compromise stage of an attack for lateral movement.

Mike Walters, VP of Vulnerability and Threat Research and co-founder of Action1 Corporation mentioned that the company introduced last year a system based on artificial intelligence to detect abnormal user behavior and to prevent hackers from using the platform for malicious purposes.

Action1 is working on including new measures to stop the misuse of the platform, the researcher said, adding that the company is “fully open to cooperation with both victims and legal authorities” on cases where Action1 was leveraged for cyberattacks.