Action1 says remote management platform can now identify and terminate any attempt at misuse by attackers. Credit: Undefined Undefined / Getty Images Action1 has announced new AI-based threat actor filtering to detect and block abuse of its remote management platform. The cloud-native patch management, remote access, and remote monitoring and management (RMM) firm stated its platform has been upgraded to spot abnormal user behavior and automatically block threat actors to prevent attackers exploiting its tool to carry out malicious activity. The release comes amid a trend of hackers misusing legitimate systems management platforms to deploy ransomware or steal data from corporate environments.Action1 platform enhanced to identify and terminate RMM abuseIn an announcement, Action1 stated that the new enhancement helps ensure that any attempt at misuse of its remote management platform is identified and terminated before cybercriminals accomplish their goals. “It scans user activity for suspicious patterns of behavior, automatically suspends potentially malicious accounts, and alerts Action1’s dedicated security team to investigate the issue,” it added.Action1 developed this enhancement after its platform was abused by threat actors earlier this year. Consequently, the upgrade will help assure that Action1 is used only for good reasons, meanwhile thousands of IT professionals use the platform to automate OS and third-party patching and endpoint management, according to the firm. “The accessibility of remote access and remote monitoring tools eliminates the need for malicious actors to invest their own time and effort into developing tools for managing attacks, facilitating cybercrime such as ransomware,” stated Mike Walters, VP of vulnerability and threat research at Action1. “We think that vendors should take more action to prevent abuse of their solutions as a part of the common struggle against this threat.” Abuse of legitimate management tools a significant security threatExploitation of legitimate and trusted management tools does indeed pose a substantial and ongoing threat to businesses. In May, ThreatLocker warned of a sharp increase in attacks abusing RMM tools. “We have observed a large increase in attackers using remote management tools over the last few days. While in most of these cases the tools had dual-factor authentication, attackers were still able to access them and use them to launch cyberattacks,” wrote the vendor in a security alert. Using these tools, an attacker can issue commands to reboot a user’s machine in safe mode with networking, a feature available in many remote management tools, ThreatLocker added. “A machine booted in Safe Mode does not load security software.”In November, Palo Alto’s Unit 42 investigated several incidents linked to the Luna Moth group callback phishing extortion campaign in which threat actors use legitimate and trusted systems management tools to interact directly with victims’ computers to manually exfiltrate data for extortion. “As these tools are not malicious, they’re not likely to be flagged by traditional antivirus products,” the researchers wrote. Unit 42 stated that the campaign has cost victims hundreds of thousands of dollars, expanding in scope. “Threat actors make extensive use of common IT tools to implement their attacks to save resources and stay under the radar of security technologies,” Adam Khan, VP global security operations, MSP Managed XDR at Barracuda, tells CSO. For example, in 2022, Barracuda XDR responded to a ransomware attack where they found, among other things, the legitimate remote desktop applications AnyDesk, Logmein, and TeamViewer installed on infected computers.“In fact, the latest data from Barracuda XDR’s Global Security Operations Center shows that detections for the AnyDesk remote desktop application were in the top 10 of suspicious signatures spotted on customer networks in 2022,” Khan says. Compromise with AnyDesk potentially grants attackers a foothold in a target network that allows them to gain remote access into any part of the environment and maintain persistence.“Defenders can protect themselves by reinforcing essential security measures, such as patching, granting the minimum level of access privileges needed, blocking or restricting access to remote services, introducing multi-factor authentication, and backing up all critical data offline. But it’s worth doing more,” Khan says. “What is the context of what looks like totally benign activity? When, where, and how is the tool being used and is that expected and consistent with known patterns? If it’s not, sound the alarm as you may have stumbled across an active attack in progress and the clock is ticking.” Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe