Criminals are using this top remote access tool to hijack your company networks

Three computer monitors against a blue digital background.
(Image credit: Pixabay)

Yet another legitimate enterprise software platform is being abused by various cybercriminals to deploy malware and ransomware to unsuspecting victims. Cybersecurity researchers from The DFIR Report have observed multiple threat actors using Action1 RMM, an otherwise benign remote desktop monitoring and management solution. 

Just as any othe remote management tool out there, Action1 is used by managed service providers (MSPs) and other IT teams to manage endpoints in a network from a remote location. They can use it to handle software patches, software installation, troubleshooting, and similar. 

A BleepingComputer report hints that the criminals are targeting this software in particular, due to the abundance of features it offers in its free version. Namely, up to 100 endpoints can be serviced on the free plan - the only restriction for the free version, which could make it an interesting tool for criminals.

Conti rears its ugly head

Multiple unidentified teams were spotted using Action1 in their campaigns, but one stands out in particular - Monti. This group was first spotted last summer by cybersecurity researchers from the BlackBerry Incident Response Team, and it was later uncovered that Monti shares a lot of traits with the infamous Conti syndicate. 

Conti’s attacks were usually carried out through AnyDesk, or Atera, rather than Action1. The attackers were also observed using ManageEngine Desktop Central from Zoho.

In any scenario, the attackers would use remote monitoring and management tools to install all kinds of malware on victim endpoints, and in some cases - even ransomware. 

Sometimes, the attackers would send an email, impersonating a major brand, and demanding the victim urgently gets in touch in order to stop a large transaction or receives a huge refund. After getting in touch with the victim, they would demand they install RMM software and then use it to compromise the target systems.

The company is aware that its software is being abused for nefarious purposes and is trying to help, although there’s not much it can really do: “Last year we rolled-out a threat actor filtering system that scans user activity for suspicious patterns of behavior, automatically suspends potentially malicious accounts, and alerts Action1’s dedicated security team to investigate the issue,” Mike Walters, VP of Vulnerability and Threat Research and co-founder of Action1 Corporation, told BleepingComputer.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.