Security researchers warn that cybercriminals have increasingly used Action1 remote access software to persist on compromised networks and execute commands, scripts and binaries.
Action1 is a remote monitoring and management (RMM) product that is commonly used by managed service providers (MSPs) and enterprises to remotely manage network endpoints, such as installing updates, software, and managing patches.
According to The DFIR Report, the Action1 RMM platform is used by several threat actors to reconnoiter and execute code with system privileges on network hosts.
Once the Action1 agent is installed, the attackers create a policy to automate the execution of binary files (for example, Process Monitor, PowerShell, Command Prompt).
The product has been used in the initial stages of at least three recent ransomware attacks. However, experts were unable to identify the specific ransomware deployed during the incidents.
Notably, the tactics, techniques, and procedures (TTPs) of the campaign are a replica of last year's Monti attack, about which little is known. Then the hackers hacked the environment through the Log4Shell vulnerability. Most of the indicators of compromise (IoC) in the Monti attack were also seen in the attacks of the Conti syndicate. One of the more notable IoCs was the use of the Action1 agent.
For cybercriminals, legitimate RMM programs are versatile enough to suit the needs of hackers. Such programs provide wide network coverage and ensure resilience, since security tools in the environment usually do not flag RMM platforms as a threat.
It is worth noting that Action1 RMM is aware of the misuse of the product by attackers in the post-exploitation phase of a Lateral Movement attack. Action1 is working to include new measures to stop misuse of the platform, adding that the company is "fully open to cooperating with both victims and law enforcement" in cases where Action1 has been used for cyberattacks.