HQ/EMEAFind out how we can help your business
Malicious threat groups have increasingly utilised the genuine remote access software, Action1, to perform various cybercriminal operations. Some actors used the software to establish persistence on targeted networks and run commands.
In addition, the campaigns used Action1 to execute binaries and scripts. However, the most frequent use of the software is for MSPs and enterprises to supervise endpoints from afar.
Multiple threat actors have adopted the Action1 software to orchestrate a ransomware campaign.
Several malicious groups have used the Action1 RMM platform in recent ransomware operations. The researchers explained that the actors used the software for their initial intrusion stages for three separate ransomware attacks that used different malware strains.
One of the confirmed cybercriminal groups that employed the software is Monti. The group has also exploited the Log4Shell vulnerability. Researchers observed that the Monti group applied the tactics, techniques, and procedures, and IoCs are similar to the past ransomware campaigns caused by the Conti group.
However, the difference between Conti and Monti is that the latter used the RMM agent for its recent campaigns.
On the other hand, the recently defunct Conti group heavily depended on remote access software Atera and AnyDesk apps for installing agents on its targeted network. Hence, the clear difference between the two groups is the tool they used for remote access operations.
Researchers noted that the threat actors developed a policy to automate execution binaries after installing Action1. These binaries are Process Monitor, Command Prompt, and PowerShell. Lastly, experts explained that Action1 RRM is available for up to 100 endpoints without cost. This detail is the only downside for the free product version, but it is still popular among cybercriminal groups.
The increasing exploit of Action1 is a concerning trend since it offers various capabilities for the threat actors on an infected network. Furthermore, the security software in the current landscape usually does not flag the software as a threat since its capability is authentic safe-listed software. Therefore, the Action1 admin has started to take new steps to stop the abuse of the platform.
