Yet another legitimate enterprise software platform is being abused by various cybercriminals to deploy malware and ransomware to unsuspecting victims. Cybersecurity researchers from The DFIR Report have observed multiple threat actors using Action1 RMM, an otherwise benign remote desktop monitoring and management solution.
Just as any othe remote management tool out there, Action1 is used by managed service providers (MSPs) and other IT teams to manage endpoints (opens in new tab) in a network from a remote location. They can use it to handle software patches, software installation, troubleshooting, and similar.
A BleepingComputer report hints that the criminals are targeting this software in particular, due to the abundance of features it offers in its free version. Namely, up to 100 endpoints can be serviced on the free plan – the only restriction for the free version, which could make it an interesting tool for criminals.
Conti rears its ugly head
Multiple unidentified teams were spotted using Action1 in their campaigns, but one stands out in particular – Monti. This group was first spotted last summer by cybersecurity researchers from the BlackBerry Incident Response Team, and it was later uncovered that Monti shares a lot of traits with the infamous Conti syndicate.
Conti’s attacks were usually carried out through AnyDesk, or Atera, rather than Action1. The attackers were also observed using ManageEngine Desktop Central from Zoho.
In any scenario, the attackers would use remote monitoring and management tools to install all kinds of malware on victim endpoints, and in some cases – even ransomware.
Sometimes, the attackers would send an email, impersonating a major brand, and demanding the victim urgently gets in touch in order to stop a large transaction or receives a huge refund. After getting in touch with the victim, they would demand they install RMM software and then use it to compromise the target systems.
The company is aware that its software is being abused for nefarious purposes and is trying to help, although there’s not much it can really do: “Last year we rolled-out a threat actor filtering system that scans user activity for suspicious patterns of behavior, automatically suspends potentially malicious accounts, and alerts Action1’s dedicated security team to investigate the issue,” Mike Walters, VP of Vulnerability and Threat Research and co-founder of Action1 Corporation, told BleepingComputer.
Via: BleepingComputer (opens in new tab)