CyberSecurity news

FlagThis - #SimpleHelp

@www.bleepingcomputer.com //
Hackers are actively exploiting vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to compromise systems and potentially deploy ransomware. Cybersecurity firm Field Effect has confirmed these exploits and released a report detailing the post-exploitation activity. The vulnerabilities, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow attackers to create administrator accounts and drop backdoors, laying the groundwork for further malicious activities.

Field Effect identified a breach where threat actors exploited these vulnerabilities in the SimpleHelp RMM client to infiltrate a targeted network. Following initial access, attackers execute discovery commands to gather system and network data. They then establish persistence by creating new administrator accounts and deploying the Sliver malware, a post-exploitation framework gaining popularity as a Cobalt Strike alternative. Once deployed, Sliver waits for further commands, enabling attackers to compromise the domain controller and potentially distribute malicious software.

Recommended read:
References :
  • Security Risk Advisors: Threat Actors Exploit SimpleHelp RMM Vulnerabilities to Deploy Ransomware
  • The Hacker News: The Hacker News - Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware
  • www.bleepingcomputer.com: Hackers are targeting vulnerable SimpleHelp RMM clients to create administrator accounts, drop backdoors, and potentially lay the groundwork for ransomware attacks.
  • Blog: Threat actors exploiting #SimpleHelp RMM #vulnerabilities to deploy #ransomware The post appeared first on .
  • www.scworld.com: Sliver malware spread via SimpleHelp RMM exploits
  • fieldeffect.com: Threat actors exploiting #SimpleHelp RMM #vulnerabilities to deploy #ransomware
  • gbhackers.com: Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems
  • gbhackers.com: Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems

@ciso2ciso.com //
A series of cyber incidents have been reported, highlighting the evolving nature of online threats. A concerning trend involves a sophisticated phishing campaign targeting users in Poland and Germany, using PureCrypter malware to deliver multiple payloads, including Agent Tesla and Snake Keylogger, as well as a novel backdoor called TorNet. This TorNet backdoor employs advanced detection evasion tactics, requiring immediate and proactive defense measures. The campaign, which has been active since at least mid-summer 2024, indicates financially motivated threat actors behind the attacks. Security tools are available with threat intelligence to assist in detecting and preventing such intrusions.

Multiple additional vulnerabilities have been discovered, including over 10,000 WordPress websites unknowingly delivering MacOS and Windows malware through fake Google browser update pages. This cross-platform malware attack is notable as it delivers AMOS for Apple users and SocGholish for Windows users, and is the first time these variants have been delivered through a client-side attack. Moreover, an OAuth redirect flaw in an airline travel integration system has exposed millions of users to account hijacking. By manipulating parameters within the login process, attackers can redirect authentication responses, gain unauthorized access to user accounts, and perform actions like booking hotels and car rentals. These incidents underscore the importance of constant vigilance and robust security measures across all platforms.

Recommended read:
References :
  • BleepingComputer: Hackers are believed to be exploiting recently fixed SimpleHelp Remote Monitoring and Management (RMM) software vulnerabilities to gain initial access to target networks.
  • securityaffairs.com: Attackers exploit SimpleHelp RMM software flaws for initial access.
  • Help Net Security: Attackers are leveraging vulnerabilities in SimpleHelp.
  • www.bleepingcomputer.com: Hackers are exploiting flaws in SimpleHelp RMM to breach networks
  • ciso2ciso.com: TorNet Backdoor Detection: An Ongoing Phishing Email Campaign Uses PureCrypter Malware to Drop Other Payloads – Source: socprime.com
  • cside.dev: 10,000 WordPress Websites Found Delivering MacOS and Microsoft Malware
  • The Hacker News: OAuth Redirect Flaw in Airline Travel Integration Exposes Millions to Account Hijacking

@www.bleepingcomputer.com //
References: Blog , gbhackers.com , www.scworld.com ...
Cybersecurity firms have reported a surge in active exploitation of vulnerabilities within SimpleHelp's Remote Monitoring and Management (RMM) software. These vulnerabilities, identified as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, are being leveraged by threat actors to infiltrate networks. The attacks begin with connecting to the endpoint via the vulnerable SimpleHelp RMM client, followed by the execution of several discovery commands obtaining system and network data.

Threat actors are using this access to deploy malware, including the Sliver backdoor, and establish persistent remote access. Field Effect security intelligence observed threat actors exploiting SimpleHelp RMM vulnerabilities to deploy Sliver backdoor and encrypted tunnels. Attackers then proceeded to use the same SimpleHelp RMM client and another admin account to compromise the domain controller and distribute a Windows svchost.exe-spoofing Cloudflare Tunnel for covert compromise. Immediate remediation of flawed SimpleHelp RMM clients has been urged.

Recommended read:
References :
  • Blog: Field Effect mitigates Not-So-SimpleHelp exploits enabling deployment of backdoors.
  • gbhackers.com: Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems
  • The Hacker News: Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware
  • www.scworld.com: Sliver malware spread via SimpleHelp RMM exploits
  • Security Risk Advisors: Threat actors exploiting #SimpleHelp RMM #vulnerabilities to deploy #ransomware

@www.horizon3.ai //
Multiple critical vulnerabilities have been discovered in SimpleHelp remote support software, posing significant risks to both servers and client machines. The flaws, identified by Horizon3.ai, include an unauthenticated path traversal vulnerability, allowing attackers to download arbitrary files, including sensitive server configuration files containing hashed passwords. Additionally, an arbitrary file upload vulnerability can lead to remote code execution for attackers with SimpleHelpAdmin or technician admin privileges. A third vulnerability allows low-privilege technicians to escalate to admin level by exploiting missing authorization checks.

Cybersecurity experts warn that these vulnerabilities are trivial to exploit and could be chained together to take complete control of the SimpleHelp server. The security flaws, now assigned CVE-2024-57727, CVE-2024-57728 and CVE-2024-57726, have been addressed in SimpleHelp versions 5.3.9, 5.4.10, and 5.5.8. Users are urged to update their software immediately and take additional security measures, including changing administrator passwords, rotating technician account passwords, and restricting login IPs. The vulnerabilities underscore the importance of patching quickly, as remote access tools are frequently targeted by threat actors.

Recommended read:
References :
  • The Hacker News: Critical SimpleHelp Flaws Allow File Theft, Privilege Escalation, and RCE Attacks
  • www.horizon3.ai: Horizon3 discloses three (currently unassigned) vulnerabilities in SimpleHelp, a remote support software.
  • : Horizon3 : Horizon3 discloses three (currently unassigned) vulnerabilities in SimpleHelp, a remote support software.