Breaking

Action1 RMM exploited for a ransomware attack on MSPs and IT Departments

Security researchers are warning that cybercriminals are increasingly using the Action1 remote access software for persistence on compromised networks and to execute commands, scripts, and binaries.

This article will explore how the Action1 RMM was exploited for a Ransomware Attack by hackers, and how Action1 Corporation is working to prevent the misuse of its platform.

Action1 RMM used in a Ransomware Attack

Action1 is a remote monitoring and management (RMM) product that is commonly used by managed service providers (MSPs) and enterprises to remotely manage endpoints on a network. The software allows admins to automate patch management and the deploying of security updates, install software remotely, catalog hosts, troubleshoot problems on endpoints, and get real-time reports.

While these types of tools are extremely helpful for admins, they are also valuable to threat actors who can use them to deploy malware or gain persistence to networks.

Ransomware attack through persistence on networks

Kostas, a member of the volunteer analyst group The DFIR Report, noticed the Action1 RMM platform being abused by multiple threat actors for reconnaissance activity and to execute code with system privileges on network hosts.

The researcher says that after installing the Action1 agent, the adversaries create a policy to automate the execution of binaries (e.g. Process Monitor, PowerShell, Command Prompt) required in the attack.

When investigators tried to learn more about incidents how the Action1 RMM platform is being abused, it was communicated that their is a pattern of ransomware attacks from multiple threat actors. The product has been leveraged in the initial stages of at least three recent ransomware attacks using distinct malware strains.

AI-based filtering to detect abnormal user behavior

While Action1 RMM is used legitimately across the world by thousands of administrators, the vendor is aware that the product is being abused by threat actors in the post-compromise stage of an attack for lateral movement.

Mike Walters, VP of Vulnerability and Threat Research and co-founder of Action1 Corporation mentioned that the company introduced last year a system based on artificial intelligence to detect abnormal user behavior and to prevent hackers from using the platform for malicious purposes.

Action1 is working on including new measures to stop the misuse of the platform, the researcher said, adding that the company is “fully open to cooperation with both victims and legal authorities” on cases where Action1 was leveraged for cyberattacks.

Share the article with your friends
William Marshal

William has been one of the key contributors to 'The Cybersecurity Times' with 9.5 years of experience in the cybersecurity journalism. Apart from writing, he also like hiking, skating and coding.

Recent Posts

Best Microsoft Intune Alternatives: Top 5 MDMs to Consider

Explore the top 5 best Microsoft Intune alternatives, comparing key features, user reviews, and capabilities…

1 day ago

Top 7 Best Smartphones with Best Security Features in 2024

Discover the top 7 smartphones of 2024 with best security features, offering privacy, performance, and…

3 weeks ago

Top 11 Log Management Tools for Efficient System Management

Discover the top 11 log management tools for efficient system management and monitoring. Learn about…

2 months ago

Top 5 Threat Intelligence Tools For 2024

Explore the top 5 threat intelligence tools, their features, and how they enhance cybersecurity against…

2 months ago

Privileged Access Management: 5 Best PAM Solutions in the Market

Explore the top 5 best PAM Tools, market trends, and expert insights to secure the…

2 months ago

Apple Device Management: Top Solutions for iOS and macOS Management

Explore the top solutions for Apple Device Management including to iOS Device Management and macOS…

2 months ago