DFIR Report member Kostas Tsale Tweeted this over the weekend:
If you didn’t read the entire thread, here’s the TL:DR. He’s seeing threat actors using the Action1 RMM platform for reconnaissance activity and executing commands, scripts and binaries on network hosts. After installing the Action1 agent, they create policies to automate the execution of binaries (e.g. Process Monitor, PowerShell, Command Prompt) required in the attack.
Action1 is available at no cost for up to 100 endpoints, which is the only restriction in the free version of the product.
The exploit appears to be used in ransomware attacks from multiple threat actors, as the product has been seen leveraged in the initial stages of recent ransomware attacks using distinct malware strains.
Christopher Peacock, Principal Detection Engineer, SCYTHE:
“Remote monitoring and management (RMM) tools have been increasingly common in attacks because threat actors can rely on its functionality instead of using malware that could trigger antivirus alarms. It’s, therefore, essential organizations block and alert for unapproved remote monitoring and management tools, which could indicate a threat actor.”
To Action1’s credit, they said this on Twitter:
Let’s see if this mitigates this threat vector in the medium and long term.
Like this:
Like Loading...
Related
This entry was posted on April 18, 2023 at 8:28 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Attackers Leverage RMM Action1 Platform in Ransomware attacks
DFIR Report member Kostas Tsale Tweeted this over the weekend:
If you didn’t read the entire thread, here’s the TL:DR. He’s seeing threat actors using the Action1 RMM platform for reconnaissance activity and executing commands, scripts and binaries on network hosts. After installing the Action1 agent, they create policies to automate the execution of binaries (e.g. Process Monitor, PowerShell, Command Prompt) required in the attack.
Action1 is available at no cost for up to 100 endpoints, which is the only restriction in the free version of the product.
The exploit appears to be used in ransomware attacks from multiple threat actors, as the product has been seen leveraged in the initial stages of recent ransomware attacks using distinct malware strains.
Christopher Peacock, Principal Detection Engineer, SCYTHE:
“Remote monitoring and management (RMM) tools have been increasingly common in attacks because threat actors can rely on its functionality instead of using malware that could trigger antivirus alarms. It’s, therefore, essential organizations block and alert for unapproved remote monitoring and management tools, which could indicate a threat actor.”
To Action1’s credit, they said this on Twitter:
Let’s see if this mitigates this threat vector in the medium and long term.
Share this:
Like this:
Related
This entry was posted on April 18, 2023 at 8:28 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.