In a nutshell:
- In the past few days, our users have asked us numerous questions regarding the potential hack of the Action1 platform.
- This concern has arisen due to a recent article in Bleeping Computer.
- We would like to reassure our users that Action1 has not been compromised, and their accounts remain safe from potential threats.
What Happened?
As we all know, endpoint management, remote monitoring and management (RMM), and remote access (RA) tools are critical for administrators and technicians to maintain their organization’s IT environment’s security and performance. However, as with many other technologies created for good reasons, cybercriminals have found ways to use these tools for malicious purposes. While they do not compromise the tools themselves, they leverage the capabilities of these legitimate tools to establish persistence in a victim’s environment after a breach. For example, they can deploy malware, run commands, and more.
The problem is not new. Some tools have been misused in thousands of attacks and are even included in security advisories from legal authorities. For instance, the Cybersecurity and Infrastructure Security Agency (CISA) recently issued an advisory on protecting against malicious use of RMM software, naming ScreenConnect (now ConnectWise Control) and AnyDesk as the most misused by threat actors. Another recent advisory mentions Atera, LogMeIn, and others as tools that ransomware gangs leverage for persistence in the victim’s network.
It is worth noting that we’ve only mentioned some of the legitimate tools that are commonly misused by threat actors, as the list is unfortunately too long.
Action1, like other vendors, is committed to providing our customers with the best possible service, empowering them to do more with less and automating their endpoint management from anywhere in the easiest way possible. However, as we grow as a company and become more prominent, we undoubtedly attract attention from all sides, including bad actors who attempt to misuse Action1, among other tools. Since Action1 had not been widely noticed as being misused by threat actors, Bleeping Computer reporters did a story on that. (Legitimate tools misuse is one of the topics they cover regularly – here is one more similar article: Hackers abuse Google Command and Control red team tool in attacks)
Are We Doing Something to Prevent Attackers from Using Action1 for Malicious Purposes?
Yes, we do. We take extremely high precautions, especially compared to other similar companies that are more easily misused than Action1. Last year, we rolled out a threat actor filtering system that scans user activity for suspicious behavior patterns, automatically suspends potentially malicious accounts, and alerts Action1’s dedicated security team to investigate the issue. This system helps minimize the risk of misuse and ensures that most attempts are identified and terminated before cybercriminals accomplish their goals.
We strongly condemn the malicious use of Action1 by threat actors who have taken advantage of its ease of use and accessibility. We have multiple measures to prevent the malicious use of Action1 and continuously work on adding more to ensure that Action1 is used only for good reasons. We are fully open to cooperating with both victims and legal authorities in cases of Action1 misuse.
