Action1 launches threat actor filtering to block remote management platform abuse

Action1 has announced new AI-based threat actor filtering to detect and block abuse of its remote management platform. The cloud-native patch management, remote access, and remote monitoring and management (RMM) firm stated its platform has been upgraded to spot abnormal user behavior and automatically block threat actors to prevent attackers exploiting its tool to carry out malicious activity. The release comes amid a trend of hackers misusing legitimate systems management platforms to deploy ransomware or steal data from corporate environments.

Action1 platform enhanced to identify and terminate RMM abuse

In an announcement, Action1 stated that the new enhancement helps ensure that any attempt at misuse of its remote management platform is identified and terminated before cybercriminals accomplish their goals. “It scans user activity for suspicious patterns of behavior, automatically suspends potentially malicious accounts, and alerts Action1’s dedicated security team to investigate the issue,” it added.

Action1 developed this enhancement after its platform was abused by threat actors earlier this year. Consequently, the upgrade will help assure that Action1 is used only for good reasons, meanwhile thousands of IT professionals use the platform to automate OS and third-party patching and endpoint management, according to the firm.

“The accessibility of remote access and remote monitoring tools eliminates the need for malicious actors to invest their own time and effort into developing tools for managing attacks, facilitating cybercrime such as ransomware,” stated Mike Walters, VP of vulnerability and threat research at Action1. “We think that vendors should take more action to prevent abuse of their solutions as a part of the common struggle against this threat.”

Abuse of legitimate management tools a significant security threat

Exploitation of legitimate and trusted management tools does indeed pose a substantial and ongoing threat to businesses. In May, ThreatLocker warned of a sharp increase in attacks abusing RMM tools. “We have observed a large increase in attackers using remote management tools over the last few days. While in most of these cases the tools had dual-factor authentication, attackers were still able to access them and use them to launch cyberattacks,” wrote the vendor in a security alert. Using these tools, an attacker can issue commands to reboot a user’s machine in safe mode with networking, a feature available in many remote management tools, ThreatLocker added. “A machine booted in Safe Mode does not load security software.”

In November, Palo Alto’s Unit 42 investigated several incidents linked to the Luna Moth group callback phishing extortion campaign in which threat actors use legitimate and trusted systems management tools to interact directly with victims’ computers to manually exfiltrate data for extortion. “As these tools are not malicious, they’re not likely to be flagged by traditional antivirus products,” the researchers wrote. Unit 42 stated that the campaign has cost victims hundreds of thousands of dollars, expanding in scope.

“Threat actors make extensive use of common IT tools to implement their attacks to save resources and stay under the radar of security technologies,” Adam Khan, VP global security operations, MSP Managed XDR at Barracuda, tells CSO. For example, in 2022, Barracuda XDR responded to a ransomware attack where they found, among other things, the legitimate remote desktop applications AnyDesk, Logmein, and TeamViewer installed on infected computers.

“In fact, the latest data from Barracuda XDR’s Global Security Operations Center shows that detections for the AnyDesk remote desktop application were in the top 10 of suspicious signatures spotted on customer networks in 2022,” Khan says. Compromise with AnyDesk potentially grants attackers a foothold in a target network that allows them to gain remote access into any part of the environment and maintain persistence.

“Defenders can protect themselves by reinforcing essential security measures, such as patching, granting the minimum level of access privileges needed, blocking or restricting access to remote services, introducing multi-factor authentication, and backing up all critical data offline. But it’s worth doing more,” Khan says. “What is the context of what looks like totally benign activity? When, where, and how is the tool being used and is that expected and consistent with known patterns? If it’s not, sound the alarm as you may have stumbled across an active attack in progress and the clock is ticking.”