FlagThis

Cybersecurity firms have reported a surge in active exploitation of vulnerabilities within SimpleHelp's Remote Monitoring and Management (RMM) software. These vulnerabilities, identified as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, are being leveraged by threat actors to infiltrate networks. The attacks begin with connecting to the endpoint via the vulnerable SimpleHelp RMM client, followed by the execution of several discovery commands obtaining system and network data.

Threat actors are using this access to deploy malware, including the Sliver backdoor, and establish persistent remote access. Field Effect security intelligence observed threat actors exploiting SimpleHelp RMM vulnerabilities to deploy Sliver backdoor and encrypted tunnels. Attackers then proceeded to use the same SimpleHelp RMM client and another admin account to compromise the domain controller and distribute a Windows svchost.exe-spoofing Cloudflare Tunnel for covert compromise. Immediate remediation of flawed SimpleHelp RMM clients has been urged.

ImgSrc: www.bleepstatic

References :

• Blog: Field Effect mitigates Not-So-SimpleHelp exploits enabling deployment of backdoors.
• gbhackers.com: Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems
• The Hacker News: Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware
• www.scworld.com: Sliver malware spread via SimpleHelp RMM exploits
• Security Risk Advisors: Threat actors exploiting #SimpleHelp RMM #vulnerabilities to deploy #ransomware

Classification:

• HashTags: #SimpleHelp #RMM #VulnerabilityExploit
• Company: SimpleHelp
• Target: Organizations Using SimpleHelp
• Product: SimpleHelp
• Feature: RMM
• Malware: Sliver
• Type: Vulnerability
• Severity: Major