BTC $58270.6324
ETH $3301.4664
BNB $400.6794
SOL $110.0515
XRP $0.5824
ADA $0.6271
AVAX $39.6830
DOGE $0.0970
TRX $0.1429
wstETH $3808.1443
DOT $8.3586
LINK $19.1334
WETH $3305.4834
MATIC $1.0428
UNI $11.0186
WBTC $57881.0446
IMX $3.3465
ICP $13.0316
BCH $301.2119
LTC $74.8427
CAKE $3.2026
ETC $28.3635
FIL $7.9610
LEO $4.4139
RNDR $7.4060
KAS $0.1700
HBAR $0.1136
DAI $1.0002
ATOM $11.3163
INJ $41.0291
VET $0.0502
TON $2.1419
OKB $51.8401
STX $3.2222
LDO $3.5190
FDUSD $0.9951
XMR $138.3902
XLM $0.1221
ARB $1.8935
NEAR $3.9358
TIA $16.9317
GRT $0.2829
WEMIX $2.2582
ENS $22.5313
MKR $2167.8555
APEX $2.4646
THETA $1.9298
BTC $58270.6324
ETH $3301.4664
BNB $400.6794
SOL $110.0515
XRP $0.5824
ADA $0.6271
AVAX $39.6830
DOGE $0.0970
TRX $0.1429
wstETH $3808.1443
DOT $8.3586
LINK $19.1334
WETH $3305.4834
MATIC $1.0428
UNI $11.0186
WBTC $57881.0446
IMX $3.3465
ICP $13.0316
BCH $301.2119
LTC $74.8427
CAKE $3.2026
ETC $28.3635
FIL $7.9610
LEO $4.4139
RNDR $7.4060
KAS $0.1700
HBAR $0.1136
DAI $1.0002
ATOM $11.3163
INJ $41.0291
VET $0.0502
TON $2.1419
OKB $51.8401
STX $3.2222
LDO $3.5190
FDUSD $0.9951
XMR $138.3902
XLM $0.1221
ARB $1.8935
NEAR $3.9358
TIA $16.9317
GRT $0.2829
WEMIX $2.2582
ENS $22.5313
MKR $2167.8555
APEX $2.4646
THETA $1.9298
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Action1 RMM platform used to establish persistence and deploy ransomware

    Security researchers warn that cybercriminals have increasingly used Action1 remote access software to persist on compromised networks and execute commands, scripts and binaries.

    Action1 is a remote monitoring and management (RMM) product that is commonly used by managed service providers (MSPs) and enterprises to remotely manage network endpoints, such as installing updates, software, and managing patches.

    According to The DFIR Report, the Action1 RMM platform is used by several threat actors to reconnoiter and execute code with system privileges on network hosts.

    Once the Action1 agent is installed, the attackers create a policy to automate the execution of binary files (for example, Process Monitor, PowerShell, Command Prompt).

    The product has been used in the initial stages of at least three recent ransomware attacks. However, experts were unable to identify the specific ransomware deployed during the incidents.

    Notably, the tactics, techniques, and procedures (TTPs) of the campaign are a replica of last year's Monti attack, about which little is known. Then the hackers hacked the environment through the Log4Shell vulnerability. Most of the indicators of compromise (IoC) in the Monti attack were also seen in the attacks of the Conti syndicate. One of the more notable IoCs was the use of the Action1 agent.

    For cybercriminals, legitimate RMM programs are versatile enough to suit the needs of hackers. Such programs provide wide network coverage and ensure resilience, since security tools in the environment usually do not flag RMM platforms as a threat.

    It is worth noting that Action1 RMM is aware of the misuse of the product by attackers in the post-exploitation phase of a Lateral Movement attack. Action1 is working to include new measures to stop misuse of the platform, adding that the company is "fully open to cooperating with both victims and law enforcement" in cases where Action1 has been used for cyberattacks.

    Author DeepWeb
    New LockBit ransomware targets macOS
    Chinese APT41 hackers actively use Google cloud infrastructure in their attacks

    Comments 0

    Add comment