Ransomware Operators Abusing Action1 RMM
Remote monitoring and management (RMM) tools like Action1 RMM have increasingly become an appealing choice for Managed Service Providers (MSPs) and their customer base, since they allow the remote management of endpoints on customer networks, including patch management, security software installation, and troubleshooting. Unfortunately, the capabilities of these tools have also caught the attention of threat actors, who are now abusing them to compromise corporate networks and maintain persistence.
Table of Contents
Threat Actors Compromising Corporate Networks
Recent reports from security firms and tweets from researchers have shed light on the abuse of Action1 RMM in ransomware attacks. Using Action1, threat actors can execute commands, scripts, and binaries to drop malware strains on compromised machines. These actions require the creation of a "policy" or an "app" within the platform, giving indication of misuse when detected on the command line during execution.
In response to the issue, Action1 has implemented security upgrades such as AI filtering to scan user activity for suspicious patterns of behavior, detect potentially malicious accounts, and alert their dedicated security team for further investigation.
Evidence Supporting Kostas’ Tweet
A member of the volunteer analyst group The DFIR Report, Kostas, tweeted about ransomware operators abusing the Action1 RMM platform, highlighting the potential risk for increased attacks using this system. To validate these claims, additional evidence is necessary to provide a clearer understanding of the situation.
TTPs Resembling BlackBerry Incident Response Team’s Investigation
Further evidence supporting Kostas' tweet comes from the BlackBerry Incident Response team's investigation of a case involving Monti ransomware. In this instance, the threat actors exploited the Log4Shell vulnerability to intrude into a client's VMware Horizon virtualization system. The attackers encrypted user desktops and servers, and notably, they also downloaded and installed two remote monitoring and maintenance (RMM) agents, including Action1.
Researchers believe the RMM software was used by the attackers to establish persistence within the network and facilitate additional remote access, making it the first known incident to leverage Action1 in this manner. This tactic, previously employed by Conti operators, shows the evolution and adaptation of cybercriminals exploiting the versatility of legitimate RMM software like Action1 to carry out their malicious activities.
Action1 Combating Malicious Use
Action1 is actively addressing the issue of their remote monitoring and management (RMM) product being abused by ransomware operators. The company has implemented various security upgrades to combat the malicious use of their platform while still providing efficient remote management solutions to their user base.
Employing Security Upgrades, AI Filtering
One of the security measures implemented by Action1 is the use of AI filtering. This technology scans user activity for suspicious patterns of behavior and effectively detects potentially malicious accounts. By leveraging AI capabilities, Action1 aims to mitigate the risk of their platform being exploited by threat actors for ransomware attacks.
The Monti Ransomware Strain
Monti is a relatively new ransomware strain that is considered by experts as a newer variant of the Conti family. This strain has been observed using tactics that made its predecessor, Conti, a significant threat in the cyberspace.
Newer Variant of the Conti Family
Monti has inherited many of the tactics that made Conti a serious threat, including the abuse of remote management software to initiate ransomware attacks. The Monti ransomware operators have proven to be adaptable in adopting successful approaches employed by the Conti family.
Abuse of Remote Management Software
Conti was notorious for exploiting legitimate remote management software, such as AnyDesk, to gain unauthorized access to networks and facilitate their attacks. Monti has followed a similar approach, with recent incidents involving the abuse of Action1 RMM, which is used by Managed Service Providers for remote endpoint management on customer networks.
Possible Link Between Conti and Monti Gangs
The exact link between the Conti and Monti ransomware operators remains unclear. However, the similarities in their tactics, techniques, and procedures suggest that the criminals behind Monti may have been influenced by or be directly related to the Conti gang. Regardless of the connection, Monti's combination of a ransomware strain with proven tactics poses a significant threat to enterprises and their systems.