CyberSecurity news
FlagThis
gallagherseanm@Sophos News
//
DragonForce ransomware actors are actively exploiting vulnerabilities in SimpleHelp, a remote monitoring and management (RMM) tool, to target Managed Service Providers (MSPs) and their customers. Sophos MDR recently responded to an incident where a threat actor gained access to an MSP's SimpleHelp instance. The attackers then leveraged this access to deploy DragonForce ransomware across multiple endpoints and exfiltrate sensitive data, employing a double extortion tactic to pressure victims into paying a ransom. Sophos endpoint protection and MDR actions were able to thwart a ransomware and double extortion attempt on one customer’s network, highlighting the importance of robust security measures.
The attackers are chaining multiple vulnerabilities to gain access. Sophos MDR has medium confidence that the threat actor exploited a chain of vulnerabilities that were released in January 2025, including CVE-2024-57727 (Multiple path traversal vulnerabilities), CVE-2024-57728 (Arbitrary file upload vulnerability), and CVE-2024-57726 (Privilege escalation vulnerability). The attackers also used their access through the MSP's RMM instance to gather information on multiple customer estates managed by the MSP, including collecting device names and configuration, users, and network connections.
DragonForce is an advanced ransomware-as-a-service (RaaS) operation that emerged in mid-2023. DragonForce recently garnered attention in the threat landscape for claiming to “take over” the infrastructure of RansomHub. Reports also suggest that well-known ransomware affiliates, including Scattered Spider (UNC3944) who was formerly a RansomHub affiliate, have been using DragonForce in attacks targeting multiple large retail chains in the UK and the US. MSPs and their customers are advised to patch SimpleHelp instances immediately to prevent further exploitation.
ImgSrc: news.sophos.com
References :
The attackers are chaining multiple vulnerabilities to gain access. Sophos MDR has medium confidence that the threat actor exploited a chain of vulnerabilities that were released in January 2025, including CVE-2024-57727 (Multiple path traversal vulnerabilities), CVE-2024-57728 (Arbitrary file upload vulnerability), and CVE-2024-57726 (Privilege escalation vulnerability). The attackers also used their access through the MSP's RMM instance to gather information on multiple customer estates managed by the MSP, including collecting device names and configuration, users, and network connections.
DragonForce is an advanced ransomware-as-a-service (RaaS) operation that emerged in mid-2023. DragonForce recently garnered attention in the threat landscape for claiming to “take over” the infrastructure of RansomHub. Reports also suggest that well-known ransomware affiliates, including Scattered Spider (UNC3944) who was formerly a RansomHub affiliate, have been using DragonForce in attacks targeting multiple large retail chains in the UK and the US. MSPs and their customers are advised to patch SimpleHelp instances immediately to prevent further exploitation.
ImgSrc: news.sophos.com
Share:
References :
- Sophos News: Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer’s network
- bsky.app: The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
- securityaffairs.com: DragonForce operator chained SimpleHelp flaws to target an MSP and its customers
- www.bleepingcomputer.com: The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
- BleepingComputer: DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
- BleepingComputer: DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
- The Register - Security: DragonForce double-whammy: First hit an MSP, then use RMM software to push ransomware
- www.helpnetsecurity.com: Attackers hit MSP, use its RMM software to deliver ransomware to clients
- Help Net Security: Attackers hit MSP, use its RMM software to deliver ransomware to clients
- www.techradar.com: DragonForce ransomware hacks SimpleHelp RMM tool to attack MSPs
- ciso2ciso.com: DragonForce double-whammy: First hit an MSP, then use RMM software to push ransomware – Source: go.theregister.com
- Anonymous ???????? :af:: The ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data
- MicroScope: Sophos warns MSPs over DragonForce threat
- Daily CyberSecurity: Details of RMM tool abused to spread DragonForce.
- MSSP feed for Latest: DragonForce Ransomware Group Exploits MSP’s RMM Software in Attacks
- thehackernews.com: DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints
- Tech Monitor: DragonForce exploits SimpleHelp in MSP breach
- www.bleepingcomputer.com: DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
Classification:
- HashTags: #Ransomware #SimpleHelp #MSP
- Company: Sophos
- Target: MSPs and their customers
- Attacker: DragonForce
- Product: SimpleHelp
- Feature: RMM exploitation
- Malware: DragonForce Ransomware
- Type: Ransomware
- Severity: Major