CyberSecurity news
FlagThis
Anna Ribeiro@Industrial Cyber
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding ransomware actors exploiting unpatched instances of SimpleHelp Remote Monitoring and Management (RMM) software. These attacks target customers of utility billing software providers, leveraging a vulnerability to gain unauthorized access. According to a report by The Register, the exploitation involves CVE-2024-57727, a high-severity path traversal vulnerability affecting SimpleHelp versions 5.5.7 and earlier. The attacks, ongoing since January 2025, have led to service disruptions and double extortion incidents, where sensitive data is stolen and systems are encrypted.
CISA's advisory follows reports of the DragonForce ransomware group breaching a managed service provider (MSP) and using its SimpleHelp RMM platform to infiltrate downstream customers. Sophos attributes the breach to a string of known SimpleHelp vulnerabilities, including CVE-2024-57726 through CVE-2024-57728. Once inside, DragonForce actors conducted network reconnaissance, leading to ransomware deployment and data exfiltration. The Register reported that SimpleHelp patched the flaw in January, but many organizations have not applied the update, leaving them vulnerable to exploitation.
CISA urges organizations using SimpleHelp RMM to immediately patch their systems, conduct thorough threat hunting, and monitor network traffic for any unusual activity. This is crucial to mitigate the risk of compromise and prevent further disruptions. ConnectWise has also issued warnings, advising users of ScreenConnect and Automate to update to the latest build and validate agent updates to avoid disruptions. The attacks highlight the broader trend of ransomware actors targeting the supply chain, emphasizing the importance of proactive security measures and timely patching.
References :
CISA's advisory follows reports of the DragonForce ransomware group breaching a managed service provider (MSP) and using its SimpleHelp RMM platform to infiltrate downstream customers. Sophos attributes the breach to a string of known SimpleHelp vulnerabilities, including CVE-2024-57726 through CVE-2024-57728. Once inside, DragonForce actors conducted network reconnaissance, leading to ransomware deployment and data exfiltration. The Register reported that SimpleHelp patched the flaw in January, but many organizations have not applied the update, leaving them vulnerable to exploitation.
CISA urges organizations using SimpleHelp RMM to immediately patch their systems, conduct thorough threat hunting, and monitor network traffic for any unusual activity. This is crucial to mitigate the risk of compromise and prevent further disruptions. ConnectWise has also issued warnings, advising users of ScreenConnect and Automate to update to the latest build and validate agent updates to avoid disruptions. The attacks highlight the broader trend of ransomware actors targeting the supply chain, emphasizing the importance of proactive security measures and timely patching.
Share:
References :
- seceon.com: In a recent report by BleepingComputer, DragonForce—a rapidly rising ransomware group—breached a managed service provider (MSP) and leveraged its SimpleHelp remote monitoring and management (RMM) platform to infiltrate downstream customers.
- go.theregister.com: The Register reports Ransomware scum disrupted utility services with SimpleHelp attacks
- The Register: Ransomware scum disrupted utility services with SimpleHelp attacks
- The Register - Security: Ransomware scum disrupted utility services with SimpleHelp attacks
- arcticwolf.com: Arctic Wolf Observes Campaign Exploiting SimpleHelp RMM Software for Initial Access
- health-isac.org: Threat Bulletin: SimpleHelp RMM Software Leveraged in Exploitation Attempt to Breach Networks
- ciso2ciso.com: Ransomware Gang Exploits SimpleHelp RMM to Compromise Utility Billing Firm – Source: www.infosecurity-magazine.com
- Industrial Cyber: CISA flags exploitation of SimpleHelp RMM vulnerability in ransomware attacks since January
- Daily CyberSecurity: Urgent CISA Alert: Ransomware Actors Exploiting SimpleHelp RMM Flaw (CVE-2024-57727)
- thehackernews.com: Ransomware Actors Exploit Unpatched SimpleHelp Flaws to Target Victims with Double Extortion
- www.cybersecuritydive.com: CISA warns of supply chain risks as ransomware attacks exploit SimpleHelp flaws
- Resources-2: Ransomware Actors Exploit CVE-2024-57727 in Unpatched SimpleHelp RMM
- www.scworld.com: CISA: Utility billing provider customers compromised via SimpleHelp exploit
- Tech Monitor: CISA warns of ransomware exploiting unpatched SimpleHelp RMM vulnerabilities, targeting a utility billing software firm's customers since January.
- SOC Prime Blog: Detect SimpleHelp RMM Vulnerability Exploitation: CISA Warns of Threat Actors Abusing Unpatched Flaws for Persistent Access and Ransomware Deployment
- industrialcyber.co: CISA flags exploitation of SimpleHelp RMM vulnerability in ransomware attacks since January
- socprime.com: Detect SimpleHelp RMM Vulnerability Exploitation: CISA Warns of Threat Actors Abusing Unpatched Flaws for Persistent Access and Ransomware Deployment
- www.cybersecuritydive.com: CISA warns of supply chain risks as ransomware attacks exploit SimpleHelp flaws
Classification:
- HashTags: #Ransomware #SimpleHelp #CISA
- Company: ConnectWise
- Target: Utility billing software providers and customers
- Product: SimpleHelp RMM
- Feature: RMM Exploitation
- Malware: CVE-2024-57727
- Type: Ransomware
- Severity: Major