Hackers start abusing Action1 RMM in ransomware attacks

Security researchers are warning that cybercriminals are increasingly using the Action1 remote access software for persistence on compromised networks and to execute commands, scripts, and binaries.

Action1 is a remote monitoring and management (RMM) product that is commonly used by managed service providers (MSPs) and the enterprise to remotely manage endpoints on a network.

The software allows admins to automate patch management and the deploying of security updates, install software remotely, catalog hosts, troubleshoot problems on endpoints, and get real-time reports.

While these types of tools are extremely helpful for admins, they are also valuable to threat actors who can use them to deploy malware or gain persistence to networks.

Running binaries as system

, a member of the volunteer analyst group , noticed the Action1 RMM platform being abused by multiple threat actors for reconnaissance activity and to execute code with system privileges on network hosts.

The that after installing the Action1 agent, the adversaries create a policy to automate the execution of binaries (e.g. Process Monitor, PowerShell, Command Prompt) required in the attack.

Threat actor deploying binaries via Action1 agent
source: Kostas

Tsale highlights that apart from the remote access capabilities, Action1 is available at no cost for up to 100 endpoints, which is the only restriction in the free version of the product.

Action1 abused in ransomware attacks

BleepingComputer tried to learn more about incidents where the Action1 RMM platform is being abused and was told by sources that it was observed in ransomware attacks from multiple threat actors.

The product has been leveraged in the initial stages of at least three recent ransomware attacks using distinct malware strains. We could not find the specific ransomware deployed during the incidents, though.

However, we were told that the tactics, techniques, and procedures (TTPs) echo an attack that the BlackBerry Incident Response team investigated last summer.

The threat researchers attributed the attack to a group called Monti, that was unknown at the time. The hackers breached the environment after exploiting the .

BlackBerry’s showed that most of the indicators of compromise (IoC) in the Monti attack were seen in ransomware incidents attributed to the Conti syndicate. One IoC that stood out was the used of the Action1 RMM agent.

While Conti attacks did rely on remote access software, the typical choices were the AnyDesk application and the – to install agents on the compromised network thus obtaining remote access to all the hosts.

There are also cases where brokers to organizations through ManageEngine Desktop Central software from Zoho, a product that allows admins to manage Windows, Linux, and Mac systems on the network.

From a ransomware perspective, legitimate RMM software is versatile enough to fit their needs, provides wide reach on the network, and ensures continued persistence because security agents in the environment do not usually flag the platforms as a threat.

AI-based filtering

While Action1 RMM is used legitimately across the world by thousands of administrators, the vendor is aware that the product is being abused by threat actors in the post-compromise stage of an attack for lateral movement.

Mike Walters, VP of Vulnerability and Threat Research and co-founder of Action1 Corporation, told BleepingComputer that the company introduced last year a system based on artificial intelligence to detect abnormal user behavior and to prevent hackers from using the platform for malicious purposes.

“Last year we rolled-out a threat actor filtering system that scans user activity for suspicious patterns of behavior, automatically suspends potentially malicious accounts, and alerts Action1’s dedicated security team to investigate the issue” – Mike Walters

Action1 is working on including new measures to stop the misuse of the platform, the researcher said, adding that the company is “fully open to cooperation with both victims and legal authorities” on cases where Action1 was leveraged for cyberattacks.