Action1 says remote management platform can now identify and terminate any attempt at misuse by attackers. Credit: Undefined Undefined / Getty Images Action1 has announced new AI-based threat actor filtering to detect and block abuse of its remote management platform. The cloud-native patch management, remote access, and remote monitoring and management (RMM) firm stated its platform has been upgraded to spot abnormal user behavior and automatically block threat actors to prevent attackers exploiting its tool to carry out malicious activity. The release comes amid a trend of hackers misusing legitimate systems management platforms to deploy ransomware or steal data from corporate environments.Action1 platform enhanced to identify and terminate RMM abuseIn an announcement, Action1 stated that the new enhancement helps ensure that any attempt at misuse of its remote management platform is identified and terminated before cybercriminals accomplish their goals. “It scans user activity for suspicious patterns of behavior, automatically suspends potentially malicious accounts, and alerts Action1’s dedicated security team to investigate the issue,” it added.Action1 developed this enhancement after its platform was abused by threat actors earlier this year. Consequently, the upgrade will help assure that Action1 is used only for good reasons, meanwhile thousands of IT professionals use the platform to automate OS and third-party patching and endpoint management, according to the firm.“The accessibility of remote access and remote monitoring tools eliminates the need for malicious actors to invest their own time and effort into developing tools for managing attacks, facilitating cybercrime such as ransomware,” stated Mike Walters, VP of vulnerability and threat research at Action1. “We think that vendors should take more action to prevent abuse of their solutions as a part of the common struggle against this threat.” Abuse of legitimate management tools a significant security threatExploitation of legitimate and trusted management tools does indeed pose a substantial and ongoing threat to businesses. In May, ThreatLocker warned of a sharp increase in attacks abusing RMM tools. “We have observed a large increase in attackers using remote management tools over the last few days. While in most of these cases the tools had dual-factor authentication, attackers were still able to access them and use them to launch cyberattacks,” wrote the vendor in a security alert. Using these tools, an attacker can issue commands to reboot a user’s machine in safe mode with networking, a feature available in many remote management tools, ThreatLocker added. “A machine booted in Safe Mode does not load security software.”In November, Palo Alto’s Unit 42 investigated several incidents linked to the Luna Moth group callback phishing extortion campaign in which threat actors use legitimate and trusted systems management tools to interact directly with victims’ computers to manually exfiltrate data for extortion. “As these tools are not malicious, they’re not likely to be flagged by traditional antivirus products,” the researchers wrote. Unit 42 stated that the campaign has cost victims hundreds of thousands of dollars, expanding in scope. “Threat actors make extensive use of common IT tools to implement their attacks to save resources and stay under the radar of security technologies,” Adam Khan, VP global security operations, MSP Managed XDR at Barracuda, tells CSO. For example, in 2022, Barracuda XDR responded to a ransomware attack where they found, among other things, the legitimate remote desktop applications AnyDesk, Logmein, and TeamViewer installed on infected computers.“In fact, the latest data from Barracuda XDR’s Global Security Operations Center shows that detections for the AnyDesk remote desktop application were in the top 10 of suspicious signatures spotted on customer networks in 2022,” Khan says. Compromise with AnyDesk potentially grants attackers a foothold in a target network that allows them to gain remote access into any part of the environment and maintain persistence.“Defenders can protect themselves by reinforcing essential security measures, such as patching, granting the minimum level of access privileges needed, blocking or restricting access to remote services, introducing multi-factor authentication, and backing up all critical data offline. But it’s worth doing more,” Khan says. “What is the context of what looks like totally benign activity? When, where, and how is the tool being used and is that expected and consistent with known patterns? If it’s not, sound the alarm as you may have stumbled across an active attack in progress and the clock is ticking.” Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe