FlagThis - #SimpleHelp

Cybersecurity firms have reported a surge in active exploitation of vulnerabilities within SimpleHelp's Remote Monitoring and Management (RMM) software. These vulnerabilities, identified as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, are being leveraged by threat actors to infiltrate networks. The attacks begin with connecting to the endpoint via the vulnerable SimpleHelp RMM client, followed by the execution of several discovery commands obtaining system and network data.

Threat actors are using this access to deploy malware, including the Sliver backdoor, and establish persistent remote access. Field Effect security intelligence observed threat actors exploiting SimpleHelp RMM vulnerabilities to deploy Sliver backdoor and encrypted tunnels. Attackers then proceeded to use the same SimpleHelp RMM client and another admin account to compromise the domain controller and distribute a Windows svchost.exe-spoofing Cloudflare Tunnel for covert compromise. Immediate remediation of flawed SimpleHelp RMM clients has been urged.


References :

• Blog: Field Effect mitigates Not-So-SimpleHelp exploits enabling deployment of backdoors.
• gbhackers.com: Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems
• The Hacker News: Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware
• www.scworld.com: Sliver malware spread via SimpleHelp RMM exploits
• Security Risk Advisors: Threat actors exploiting #SimpleHelp RMM #vulnerabilities to deploy #ransomware

Classification:

• HashTags: #SimpleHelp #RMM #VulnerabilityExploit
• Company: SimpleHelp
• Target: Organizations Using SimpleHelp
• Product: SimpleHelp
• Feature: RMM
• Malware: Sliver
• Type: Vulnerability
• Severity: Major

Hackers are actively exploiting vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to compromise systems and potentially deploy ransomware. Cybersecurity firm Field Effect has confirmed these exploits and released a report detailing the post-exploitation activity. The vulnerabilities, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow attackers to create administrator accounts and drop backdoors, laying the groundwork for further malicious activities.

Field Effect identified a breach where threat actors exploited these vulnerabilities in the SimpleHelp RMM client to infiltrate a targeted network. Following initial access, attackers execute discovery commands to gather system and network data. They then establish persistence by creating new administrator accounts and deploying the Sliver malware, a post-exploitation framework gaining popularity as a Cobalt Strike alternative. Once deployed, Sliver waits for further commands, enabling attackers to compromise the domain controller and potentially distribute malicious software.


References :

• Security Risk Advisors: Threat Actors Exploit SimpleHelp RMM Vulnerabilities to Deploy Ransomware
• The Hacker News: The Hacker News - Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware
• www.bleepingcomputer.com: Hackers are targeting vulnerable SimpleHelp RMM clients to create administrator accounts, drop backdoors, and potentially lay the groundwork for ransomware attacks.
• Blog: Threat actors exploiting #SimpleHelp RMM #vulnerabilities to deploy #ransomware The post appeared first on .
• www.scworld.com: Sliver malware spread via SimpleHelp RMM exploits
• fieldeffect.com: Threat actors exploiting #SimpleHelp RMM #vulnerabilities to deploy #ransomware
• gbhackers.com: Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems
• gbhackers.com: Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems

Classification:

• HashTags: #SimpleHelpRMM #Vulnerability #Ransomware
• Company: SimpleHelp
• Target: Corporate Networks
• Product: SimpleHelp RMM
• Feature: Exploitation
• Malware: Akira Ransomware
• Type: Ransomware
• Severity: Major