Security News > 2023 > April > Hackers start abusing Action1 RMM in ransomware attacks
Security researchers are warning that cybercriminals are increasingly using the Action1 remote access software for persistence on compromised networks and to execute commands, scripts, and binaries.
Kostas, a member of the volunteer analyst group The DFIR Report, noticed the Action1 RMM platform being abused by multiple threat actors for reconnaissance activity and to execute code with system privileges on network hosts.
BleepingComputer tried to learn more about incidents where the Action1 RMM platform is being abused and was told by sources that it was observed in ransomware attacks from multiple threat actors.
While Action1 RMM is used legitimately across the world by thousands of administrators, the vendor is aware that the product is being abused by threat actors in the post-compromise stage of an attack for lateral movement.
Mike Walters, VP of Vulnerability and Threat Research and co-founder of Action1 Corporation, told BleepingComputer that the company introduced last year a system based on artificial intelligence to detect abnormal user behavior and to prevent hackers from using the platform for malicious purposes.
Action1 is working on including new measures to stop the misuse of the platform, the researcher said, adding that the company is "Fully open to cooperation with both victims and legal authorities" on cases where Action1 was leveraged for cyberattacks.
News URL
Related news
- Russian hackers shift to cloud attacks, US and allies warn (source)
- Russian hackers hijack Ubiquiti routers to launch stealthy attacks (source)
- Black Basta, Bl00dy ransomware gangs join ScreenConnect attacks (source)
- FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks (source)
- FBI Warns U.S. Healthcare Sector of Targeted BlackCat Ransomware Attacks (source)
- LockBit ransomware returns to attacks with new encryptors, servers (source)
- Lazarus Hackers Exploited Windows Kernel Flaw as Zero-Day in Recent Attacks (source)
- Hackers target FCC, crypto firms in advanced Okta phishing attacks (source)
- Hackers steal Windows NTLM authentication hashes in phishing attacks (source)
- Fidelity customers' financial info feared stolen in suspected ransomware attack (source)