Another genuine enterprise software platform is being misused by cybercriminals to deliver malware and ransomware to unwitting victims. The DFIR Report's cybersecurity analysts identified many threat actors using Action1 RMM, an otherwise benign remote desktop monitoring and management tool.
Action1, like any other remote management tool, is used by managed service providers (MSPs) and other IT teams to manage endpoints in a network from a remote location. It can be used to handle software patches, software installation, troubleshooting, and other related tasks.
In accordance to a BleepingComputer study, fraudsters are targeting this software in particular because of the variety of functionality it provides in its free edition. The free plan allows for up to 100 endpoints to be serviced - the only limitation for the free edition, which could make it an appealing tool for thieves.
Several anonymous teams have been found employing Action1 in their ads, but one in particular sticks out - Monti. This gang was discovered last summer by BlackBerry Incident Response Team cybersecurity researchers, and it was later discovered that Monti has many characteristics with the famed Conti syndicate.
Conti's attacks were typically launched via AnyDesk or Atera rather than Action1. The attackers were also seen utilizing Zoho's ManageEngine Desktop Central. In either instance, the attackers would employ remote monitoring and management tools to install various types of malware, including ransomware, on target endpoints.
At times, the attackers would send an email imitating a prominent brand, requesting that the victim contact them immediately in order to stop a significant transaction or obtain a large refund. They would contact the victim and demand that they install RMM software, which they would then exploit to infect the target systems. Although the corporation is aware that its software is being abused for bad reasons, it is attempting to assist.
“Last year we rolled-out a threat actor filtering system that scans user activity for suspicious patterns of behavior, automatically suspends potentially malicious accounts, and alerts Action1’s dedicated security team to investigate the issue,” Mike Walters, VP of Vulnerability and Threat Research and co-founder of Action1 Corporation, told BleepingComputer.