Security News > 2023 > April > Hackers start abusing Action1 RMM in ransomware attacks

Security researchers are warning that cybercriminals are increasingly using the Action1 remote access software for persistence on compromised networks and to execute commands, scripts, and binaries.

Kostas, a member of the volunteer analyst group The DFIR Report, noticed the Action1 RMM platform being abused by multiple threat actors for reconnaissance activity and to execute code with system privileges on network hosts.

BleepingComputer tried to learn more about incidents where the Action1 RMM platform is being abused and was told by sources that it was observed in ransomware attacks from multiple threat actors.

While Action1 RMM is used legitimately across the world by thousands of administrators, the vendor is aware that the product is being abused by threat actors in the post-compromise stage of an attack for lateral movement.

Mike Walters, VP of Vulnerability and Threat Research and co-founder of Action1 Corporation, told BleepingComputer that the company introduced last year a system based on artificial intelligence to detect abnormal user behavior and to prevent hackers from using the platform for malicious purposes.

Action1 is working on including new measures to stop the misuse of the platform, the researcher said, adding that the company is "Fully open to cooperation with both victims and legal authorities" on cases where Action1 was leveraged for cyberattacks.

News URL

https://www.bleepingcomputer.com/news/security/hackers-start-abusing-action1-rmm-in-ransomware-attacks/