Security researchers are warning that cybercriminals are increasingly using the Action1 remote access software for persistence on compromised networks and to execute commands, scripts, and binaries.
Action1 is a remote monitoring and management (RMM) product that is commonly used by managed service providers (MSPs) and the enterprise to remotely manage endpoints on a network.
The software allows admins to automate patch management and the deploying of security updates, install software remotely, catalog hosts, troubleshoot problems on endpoints, and get real-time reports.
While these types of tools are extremely helpful for admins, they are also valuable to threat actors who can use them to deploy malware or gain persistence to networks.
Running binaries as system
Kostas, a member of the volunteer analyst group The DFIR Report, noticed the Action1 RMM platform being abused by multiple threat actors for reconnaissance activity and to execute code with system privileges on network hosts.
The researcher says that after installing the Action1 agent, the adversaries create a policy to automate the execution of binaries (e.g. Process Monitor, PowerShell, Command Prompt) required in the attack.
source: Kostas
Tsale highlights that apart from the remote access capabilities, Action1 is available at no cost for up to 100 endpoints, which is the only restriction in the free version of the product.
Action1 abused in ransomware attacks
BleepingComputer tried to learn more about incidents where the Action1 RMM platform is being abused and was told by sources that it was observed in ransomware attacks from multiple threat actors.
The product has been leveraged in the initial stages of at least three recent ransomware attacks using distinct malware strains. We could not find the specific ransomware deployed during the incidents, though.
However, we were told that the tactics, techniques, and procedures (TTPs) echo an attack that the BlackBerry Incident Response team investigated last summer.
The threat researchers attributed the attack to a group called Monti, that was unknown at the time. The hackers breached the environment after exploiting the Log4Shell vulnerability.
BlackBerry’s analysis showed that most of the indicators of compromise (IoC) in the Monti attack were seen in ransomware incidents attributed to the Conti syndicate. One IoC that stood out was the used of the Action1 RMM agent.
While Conti attacks did rely on remote access software, the typical choices were the AnyDesk application and the trial access to the Atera RMM - to install agents on the compromised network thus obtaining remote access to all the hosts.
There are also cases where brokers sold initial access to organizations through ManageEngine Desktop Central software from Zoho, a product that allows admins to manage Windows, Linux, and Mac systems on the network.
From a ransomware perspective, legitimate RMM software is versatile enough to fit their needs, provides wide reach on the network, and ensures continued persistence because security agents in the environment do not usually flag the platforms as a threat.
AI-based filtering
While Action1 RMM is used legitimately across the world by thousands of administrators, the vendor is aware that the product is being abused by threat actors in the post-compromise stage of an attack for lateral movement.
Mike Walters, VP of Vulnerability and Threat Research and co-founder of Action1 Corporation, told BleepingComputer that the company introduced last year a system based on artificial intelligence to detect abnormal user behavior and to prevent hackers from using the platform for malicious purposes.
“Last year we rolled-out a threat actor filtering system that scans user activity for suspicious patterns of behavior, automatically suspends potentially malicious accounts, and alerts Action1’s dedicated security team to investigate the issue” - Mike Walters
"At the same time, I would like to emphasize that these attacks do not target the Action1 users since our platform has not been compromised," Walters added
Action1 is working on including new measures to stop the misuse of the platform, the researcher said, adding that the company is “fully open to cooperation with both victims and legal authorities” on cases where Action1 was leveraged for cyberattacks.
Update [April 18]: Added updated statement from Action1.
Comments
Action1 - 10 months ago
Hi, this is Mike Walters from Action1. We noticed that the article's title has caused confusion among some of our users, leading them to wonder if our platform has been compromised. We'd like to clarify that Action1 has not been hacked and that our users' accounts remain safe from potential threats. At Action1, we take internal security very seriously and invest significant resources in safeguarding our platform and its users.
At the same time, it's quite common for hackers to misuse legitimate tools once they've breached a victim's environment. In fact, many endpoint management tools have been misused by threat actors for multiple times in the past. As Action1 grows as a company and becomes more prominent, we undoubtedly attract attention from all sides, including bad actors who attempt to misuse Action1, among other tools with remote assist/remote connection capabilities.
We want to emphasize that Action1 was not hacked, our platform was not compromised in any way. Hackers do not have access to any of our customers or anyone with an Action1 account. We remain committed to ensuring the security and safety of our users.
Action1 - 10 months ago
For those who are interested in a more detailed response to the article, please check out our statement at this link: https://www.action1.com/action1-has-not-been-compromised-statement-in-response-to-recent-bleeping-computer-article/