CyberSecurity news
FlagThis
@www.bleepingcomputer.com
//
DragonForce ransomware group has been actively exploiting vulnerabilities in SimpleHelp, a remote monitoring and management (RMM) software, to target managed service providers (MSPs) and their customers. This attack serves as a stark reminder of the supply chain risks inherent in relying on third-party software, particularly RMM tools which, if compromised, can grant attackers widespread access to numerous client systems. Sophos researchers uncovered that the DragonForce operator chained three specific SimpleHelp flaws, identified as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, to breach an MSP. This breach resulted in data theft and the subsequent deployment of ransomware across the MSP's customer endpoints, causing significant disruption and potential financial losses.
The vulnerabilities exploited by DragonForce allowed the attackers to perform several malicious actions. CVE-2024-57727 enabled unauthorized remote attackers to download arbitrary files, including server configuration files containing sensitive secrets and hashed user passwords. CVE-2024-57728 permitted admin users to upload arbitrary files, leading to potential arbitrary code execution on the host. Furthermore, CVE-2024-57726 allowed low-privilege technicians to create API keys with excessive permissions, potentially enabling them to escalate privileges to the server administrator role. All of these vulnerabilities were present in SimpleHelp's remote support software version 5.5.7 and earlier, highlighting the critical importance of promptly applying security patches.
The DragonForce attack on the MSP via SimpleHelp illustrates a growing trend of cybercriminals targeting RMM and other remote tools to facilitate software supply chain attacks. By compromising a single MSP, attackers can gain access to a large number of downstream customers, amplifying the impact of their attacks. Security experts warn that MSPs must prioritize the security of their RMM software, including implementing robust patch management processes and closely monitoring for suspicious activity. This incident underscores the need for a proactive and vigilant approach to cybersecurity to mitigate the risk of ransomware and other threats exploiting channel vulnerabilities.
ImgSrc: www.bleepstatic
References :
The vulnerabilities exploited by DragonForce allowed the attackers to perform several malicious actions. CVE-2024-57727 enabled unauthorized remote attackers to download arbitrary files, including server configuration files containing sensitive secrets and hashed user passwords. CVE-2024-57728 permitted admin users to upload arbitrary files, leading to potential arbitrary code execution on the host. Furthermore, CVE-2024-57726 allowed low-privilege technicians to create API keys with excessive permissions, potentially enabling them to escalate privileges to the server administrator role. All of these vulnerabilities were present in SimpleHelp's remote support software version 5.5.7 and earlier, highlighting the critical importance of promptly applying security patches.
The DragonForce attack on the MSP via SimpleHelp illustrates a growing trend of cybercriminals targeting RMM and other remote tools to facilitate software supply chain attacks. By compromising a single MSP, attackers can gain access to a large number of downstream customers, amplifying the impact of their attacks. Security experts warn that MSPs must prioritize the security of their RMM software, including implementing robust patch management processes and closely monitoring for suspicious activity. This incident underscores the need for a proactive and vigilant approach to cybersecurity to mitigate the risk of ransomware and other threats exploiting channel vulnerabilities.
ImgSrc: www.bleepstatic
Share:
References :
- Sophos News: Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer’s network
- bsky.app: The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
- securityaffairs.com: Sophos researchers reported that a DragonForce ransomware operator exploited three chained vulnerabilities in SimpleHelp software to attack a managed service provider. SimpleHelp is a remote support and access software designed for IT professionals and support teams. It provides a streamlined way for IT teams to manage and monitor remote systems, making it a valuable tool for MSPs. However, the vulnerabilities exploited by DragonForce highlight the importance of keeping RMM software patched and up to date, as these tools can become attack vectors for ransomware and other threats.
- www.bleepingcomputer.com: The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
- BleepingComputer: DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
- BleepingComputer: DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
- The Register - Security: Updated DragonForce ransomware infected a managed service provider, and its customers, after attackers exploited security flaws in remote monitoring and management tool SimpleHelp.…
- www.helpnetsecurity.com: Attackers hit MSP, use its RMM software to deliver ransomware to clients
- Help Net Security: Attackers hit MSP, use its RMM software to deliver ransomware to clients
- www.techradar.com: DragonForce ransomware hacks SimpleHelp RMM tool to attack MSPs
- ciso2ciso.com: DragonForce double-whammy: First hit an MSP, then use RMM software to push ransomware – Source: go.theregister.com
- Anonymous ???????? :af:: The ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data
- MicroScope: Sophos warns MSPs over DragonForce threat
- Daily CyberSecurity: Details of RMM tool abused to spread DragonForce.
- MSSP feed for Latest: The bad actors exploited flaws in SimpleHelp's software to compromise the MSP and attack clients.
- thehackernews.com: DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints
- Tech Monitor: DragonForce exploits SimpleHelp in MSP breach
- www.bleepingcomputer.com: DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
- ciso2ciso.com: DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints – Source:thehackernews.com
- Security Risk Advisors: Sophos Investigates DragonForce Ransomware Attack Exploiting SimpleHelp RMM Vulnerabilities Against MSP
- www.sentinelone.com: Robbinhood operator pleads guilty, PumaBot hits IoT via SSH brute-force attacks, and DragonForce expands RMM exploits via an affiliate model.
- ciso2ciso.com: DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints – Source:thehackernews.com
- news.sophos.com: Sophos Investigates DragonForce Ransomware Attack Exploiting SimpleHelp RMM Vulnerabilities Against MSP
Classification:
- HashTags: #DragonForce #Ransomware #SimpleHelp
- Company: SimpleHelp
- Target: MSPs and their clients
- Attacker: DragonForce
- Product: SimpleHelp
- Feature: RMM software
- Malware: DragonForce
- Type: Ransomware
- Severity: Major