Experts are warning against threat actors increasingly abusing the genuine remote access software Action1 for various malicious tasks. Some of these uses include persistence on compromised networks and running commands, binaries, and scripts. Action1 is mostly used by MSPs and enterprises to manage endpoints remotely.
Use of Action1 in ransomware attacks
A member of The DFIR Report (a volunteer analyst group) spotted the Action1 RMM platform being used by multiple threat actors.
- Action1 has been recently used in the initial stages of three recent ransomware attacks using different malware strains. These attacks have been attributed to a group identified as Monti who abused Log4Shell.
- Many of the TTPs and IoCs observed in the Monti attack were linked to past ransomware attacks associated with the Conti group, except for one noticeable change in the use of the RMM agent.
- The Conti attacks relied on remote access software Atera RMM and AnyDesk applications for installing agents on the compromised network. As compared to this, past and current Monti attacks have used Action1 for remote access.
Operational details
- After installing Action1, the threat actors create a policy for automation of execution binaries, such as PowerShell, Process Monitor, and Command Prompt, needed for an attack.
- It has been highlighted that Action1 is available without any cost for up to 100 endpoints, which is the only limitation for the free version of the product, making it popular among threat actors.
Conclusion
The increasing abuse of Action1 is a serious concern as it offers wide reach on a victim’s network and ensures continued persistence. Further, the security tools in the environment usually do not flag them as a threat since these tools are identified as legitimate whitelisted software. For safety, Action1 is including new steps to stop the abuse of the platform.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/65f5_Shutterstock_1676474806.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/e4bc_shutterstock_685260178.jpg)
