Safety researchers are warning that cybercriminals are more and more utilizing the Action1 distant entry software program for persistence on compromised networks and to execute instructions, scripts, and binaries.

Action1 is a distant monitoring and administration (RMM) product that’s generally utilized by managed service suppliers (MSPs) and the enterprise to remotely handle endpoints on a community.

The software program permits admins to automate patch administration and the deploying of safety updates, set up software program remotely, catalog hosts, troubleshoot issues on endpoints, and get real-time reviews.

Whereas all these instruments are extraordinarily useful for admins, they’re additionally priceless to menace actors who can use them to deploy malware or achieve persistence to networks.

Operating binaries as system

Kostas, a member of the volunteer analyst group The DFIR Report, seen the Action1 RMM platform being abused by a number of menace actors for reconnaissance exercise and to execute code with system privileges on community hosts.

The researcher says that after putting in the Action1 agent, the adversaries create a coverage to automate the execution of binaries (e.g. Course of Monitor, PowerShell, Command Immediate) required within the assault.

Tsale highlights that aside from the distant entry capabilities, Action1 is out there for free of charge for as much as 100 endpoints, which is the one restriction within the free model of the product.

Action1 abused in ransomware assaults

BleepingComputer tried to study extra about incidents the place the Action1 RMM platform is being abused and was instructed by sources that it was noticed in ransomware assaults from a number of menace actors.

The product has been leveraged within the preliminary levels of at the least three latest ransomware assaults utilizing distinct malware strains. We couldn’t discover the particular ransomware deployed through the incidents, although.

Nevertheless, we had been instructed that the ways, methods, and procedures (TTPs) echo an assault that the BlackBerry Incident Response group investigated final summer time.

The menace researchers attributed the assault to a gaggle known as Monti, that was unknown on the time. The hackers breached the setting after exploiting the Log4Shell vulnerability.

BlackBerry’s analysis confirmed that a lot of the indicators of compromise (IoC) within the Monti assault had been seen in ransomware incidents attributed to the Conti syndicate. One IoC that stood out was the used of the Action1 RMM agent.

Whereas Conti assaults did depend on distant entry software program, the standard selections had been the AnyDesk software and the trial access to the Atera RMM – to put in brokers on the compromised community thus acquiring distant entry to all of the hosts.

There are additionally circumstances the place brokers sold initial access to organizations by ManageEngine Desktop Central software program from Zoho, a product that enables admins to handle Home windows, Linux, and Mac programs on the community.

From a ransomware perspective, authentic RMM software program is flexible sufficient to suit their wants, offers vast attain on the community, and ensures continued persistence as a result of safety brokers within the setting don’t normally flag the platforms as a menace.

AI-based filtering

Whereas Action1 RMM is used legitimately internationally by hundreds of directors, the seller is conscious that the product is being abused by menace actors within the post-compromise stage of an assault for lateral motion.

Mike Walters, VP of Vulnerability and Risk Analysis and co-founder of Action1 Company, instructed BleepingComputer that the corporate launched final yr a system based mostly on synthetic intelligence to detect irregular consumer habits and to forestall hackers from utilizing the platform for malicious functions.

Action1 is engaged on together with new measures to cease the misuse of the platform, the researcher stated, including that the corporate is “totally open to cooperation with each victims and authorized authorities” on circumstances the place Action1 was leveraged for cyberattacks.