Yet another legitimate enterprise software platform is being abused by various cybercriminals to deploy malware and ransomware to unsuspecting victims. Cybersecurity researchers from The DFIR Report have observed multiple threat actors using Action1 RMM, an otherwise benign remote desktop monitoring and management solution.
Just as any othe remote management tool out there, Action1 is used by managed service providers (MSPs) and other IT teams to manage endpoints (opens in new tab) in a network from a remote location. They can use it to handle software patches, software installation, troubleshooting, and similar.
A BleepingComputer report hints that the criminals are targeting this software in particular, due to the abundance of features it offers in its free version. Namely, up to 100 endpoints can be serviced on the free plan – the only restriction for the free version, which could make it an interesting tool for criminals.
Conti rears its ugly head
Multiple unidentified teams were spotted using Action1 in their campaigns, but one stands out in particular – Monti. This group was first spotted last summer by cybersecurity researchers from the BlackBerry Incident Response Team, and it was later uncovered that Monti shares a lot of traits with the infamous Conti syndicate.
Conti’s attacks were usually carried out through AnyDesk, or Atera, rather than Action1. The attackers were also observed using ManageEngine Desktop Central from Zoho.
In any scenario, the attackers would use remote monitoring and management tools to install all kinds of malware on victim endpoints, and in some cases – even ransomware.
Sometimes, the attackers would send an email, impersonating a major brand, and demanding the victim urgently gets in touch in order to stop a large transaction or receives a huge refund. After getting in touch with the victim, they would demand they install RMM software and then use it to compromise the target systems.
The company is aware that its software is being abused for nefarious purposes and is trying to help, although there’s not much it can really do: “Last year we rolled-out a threat actor filtering system that scans user activity for suspicious patterns of behavior, automatically suspends potentially malicious accounts, and alerts Action1’s dedicated security team to investigate the issue,” Mike Walters, VP of Vulnerability and Threat Research and co-founder of Action1 Corporation, told BleepingComputer.
Via: BleepingComputer (opens in new tab)
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba