{"id":7797,"date":"2023-04-16T01:28:17","date_gmt":"2023-04-16T01:28:17","guid":{"rendered":"https:\/\/www.thecybersecuritytimes.com\/?p=7797"},"modified":"2023-04-26T14:00:45","modified_gmt":"2023-04-26T14:00:45","slug":"action1-rmm-exploited-for-a-ransomware-attack-on-msps-and-it-departments","status":"publish","type":"post","link":"https:\/\/www.thecybersecuritytimes.com\/action1-rmm-exploited-for-a-ransomware-attack-on-msps-and-it-departments\/","title":{"rendered":"Action1 RMM exploited for a ransomware attack on MSPs and IT Departments"},"content":{"rendered":"\n<p>Security researchers are warning that cybercriminals are increasingly using the Action1 remote access software for persistence on compromised networks and to execute commands, scripts, and binaries. <\/p>\n\n\n\n<p>This article will explore how the Action1 RMM was exploited for a Ransomware Attack by hackers, and how Action1 Corporation is working to prevent the misuse of its platform.<\/p>\n\n\n\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-6793918737846402\"\n     crossorigin=\"anonymous\"><\/script>\n<ins class=\"adsbygoogle\"\n     style=\"display:block\"\n     data-ad-format=\"fluid\"\n     data-ad-layout-key=\"-ge+8+ej-3d-mz\"\n     data-ad-client=\"ca-pub-6793918737846402\"\n     data-ad-slot=\"9513409588\"><\/ins>\n<script>\n     (adsbygoogle = window.adsbygoogle || []).push({});\n<\/script>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Action1 RMM used in a Ransomware Attack<\/strong> <\/h2>\n\n\n\n<p>Action1 is a remote monitoring and management (RMM) product that is commonly used by managed service providers (MSPs) and enterprises to remotely manage endpoints on a network. The software allows admins to automate patch management and the deploying of security updates, install software remotely, catalog hosts, troubleshoot problems on endpoints, and get real-time reports.<\/p>\n\n\n\n<p>While these types of tools are extremely helpful for admins, they are also valuable to threat actors who can use them to deploy malware or gain persistence to networks.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\" id=\"Action1-RMM-ransomware-attack\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.thecybersecuritytimes.com\/wp-content\/uploads\/2023\/04\/image-33-1024x159.png\" alt=\"Action1 RMM ransomware attack\" class=\"wp-image-7799\" width=\"840\" height=\"130\" title=\"Action1 RMM ransomware attack\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Ransomware attack through persistence on networks<\/strong><\/h2>\n\n\n\n<p><a href=\"https:\/\/twitter.com\/Kostastsale\" target=\"_blank\" aria-label=\"Kostas (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"ek-link\">Kostas<\/a>, a member of the volunteer analyst group <a href=\"https:\/\/thedfirreport.com\/services\/\" target=\"_blank\" aria-label=\"The DFIR Report (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"ek-link\">The DFIR Report<\/a>, noticed the Action1 RMM platform being abused by multiple threat actors for reconnaissance activity and to execute code with system privileges on network hosts. <\/p>\n\n\n\n<p>The researcher says that after installing the Action1 agent, the adversaries create a policy to automate the execution of binaries (e.g. Process Monitor, PowerShell, Command Prompt) required in the attack.<\/p>\n\n\n\n<p>When investigators tried to learn more about incidents how the Action1 RMM platform is being abused, it was communicated that their is a pattern of ransomware attacks from multiple threat actors. The product has been leveraged in the initial stages of at least three recent ransomware attacks using distinct malware strains.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>AI-based filtering to detect abnormal user behavior<\/strong><\/h2>\n\n\n\n<p>While Action1 RMM is used legitimately across the world by thousands of administrators, the vendor is aware that the product is being abused by threat actors in the post-compromise stage of an attack for lateral movement. <\/p>\n\n\n\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-6793918737846402\"\n     crossorigin=\"anonymous\"><\/script>\n<ins class=\"adsbygoogle\"\n     style=\"display:block\"\n     data-ad-format=\"fluid\"\n     data-ad-layout-key=\"-ge+8+ej-3d-mz\"\n     data-ad-client=\"ca-pub-6793918737846402\"\n     data-ad-slot=\"9513409588\"><\/ins>\n<script>\n     (adsbygoogle = window.adsbygoogle || []).push({});\n<\/script>\n\n\n\n<p>Mike Walters, VP of Vulnerability and Threat Research and co-founder of Action1 Corporation mentioned that the company introduced last year a system based on artificial intelligence to detect abnormal user behavior and to prevent hackers from using the platform for malicious purposes. <\/p>\n\n\n\n<p>Action1 is working on including new measures to stop the misuse of the platform, the researcher said, adding that the company is \u201cfully open to cooperation with both victims and legal authorities\u201d on cases where Action1 was leveraged for cyberattacks.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Learn how cybercriminals are using Action1 RMM remote access software for ransomware attacks. Security researchers warn about the abuse of RMM products.<\/p>\n","protected":false},"author":8,"featured_media":7800,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[72,116,44,108,52,91],"tags":[84,99,280,189],"class_list":["post-7797","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-breaking","category-computer-security-2","category-cyber-security","category-data-security","category-device-security","category-latest-cybersecurity-news","tag-cybersecurity","tag-data-security","tag-ransomware","tag-ransomware-attack"],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/www.thecybersecuritytimes.com\/wp-json\/wp\/v2\/posts\/7797"}],"collection":[{"href":"https:\/\/www.thecybersecuritytimes.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thecybersecuritytimes.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thecybersecuritytimes.com\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thecybersecuritytimes.com\/wp-json\/wp\/v2\/comments?post=7797"}],"version-history":[{"count":2,"href":"https:\/\/www.thecybersecuritytimes.com\/wp-json\/wp\/v2\/posts\/7797\/revisions"}],"predecessor-version":[{"id":7812,"href":"https:\/\/www.thecybersecuritytimes.com\/wp-json\/wp\/v2\/posts\/7797\/revisions\/7812"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thecybersecuritytimes.com\/wp-json\/wp\/v2\/media\/7800"}],"wp:attachment":[{"href":"https:\/\/www.thecybersecuritytimes.com\/wp-json\/wp\/v2\/media?parent=7797"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thecybersecuritytimes.com\/wp-json\/wp\/v2\/categories?post=7797"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thecybersecuritytimes.com\/wp-json\/wp\/v2\/tags?post=7797"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}