Security researchers are warning that cybercriminals are increasingly using the Action1 remote access software for persistence on compromised networks and to execute commands, scripts, and binaries.

Action1 is a remote monitoring and management (RMM) product that is commonly used by managed service providers (MSPs) and the enterprise to remotely manage endpoints on a network.

The software allows admins to automate patch management and the deploying of security updates, install software remotely, catalog hosts, troubleshoot problems on endpoints, and get real-time reports.

Running binaries as system

Kostas, a member of the volunteer analyst group The DFIR Report, noticed the Action1 RMM platform being abused by multiple threat actors for reconnaissance activity and to execute code with system privileges on network hosts.

The researcher says that after installing the Action1 agent, the adversaries create a policy to automate the execution of binaries (e.g. Process Monitor, PowerShell, Command Prompt) required in the attack.

Action1 abused in ransomware attacks

BleepingComputer tried to learn more about incidents where the Action1 RMM platform is being abused and was told by sources that it was observed in ransomware attacks from multiple threat actors.

The product has been leveraged in the initial stages of at least three recent ransomware attacks using distinct malware strains. We could not find the specific ransomware deployed during the incidents, though.

However, we were told that the tactics, techniques, and procedures (TTPs) echo an attack that the BlackBerry Incident Response team investigated last summer.

The threat researchers attributed the attack to a group called Monti, that was unknown at the time. The hackers breached the environment after exploiting the Log4Shell vulnerability.

BlackBerry’s analysis showed that most of the indicators of compromise (IoC) in the Monti attack were seen in ransomware incidents attributed to the Conti syndicate. One IoC that stood out was the used of the Action1 RMM agent.

While Conti attacks did rely on remote access software, the typical choices were the AnyDesk application and the trial access to the Atera RMM - to install agents on the compromised network thus obtaining remote access to all the hosts.

There are also cases where brokers sold initial access to organizations through ManageEngine Desktop Central software from Zoho, a product that allows admins to manage Windows, Linux, and Mac systems on the network.

From a ransomware perspective, legitimate RMM software is versatile enough to fit their needs, provides wide reach on the network, and ensures continued persistence because security agents in the environment do not usually flag the platforms as a threat.

AI-based filtering

While Action1 RMM is used legitimately across the world by thousands of administrators, the vendor is aware that the product is being abused by threat actors in the post-compromise stage of an attack for lateral movement.

Mike Walters, VP of Vulnerability and Threat Research and co-founder of Action1 Corporation, told BleepingComputer that the company introduced last year a system based on artificial intelligence to detect abnormal user behavior and to prevent hackers from using the platform for malicious purposes.

"At the same time, I would like to emphasize that these attacks do not target the Action1 users since our platform has not been compromised," Walters added 

Action1 is working on including new measures to stop the misuse of the platform, the researcher said, adding that the company is “fully open to cooperation with both victims and legal authorities” on cases where Action1 was leveraged for cyberattacks.