FlagThis

Threat actors are exploiting vulnerabilities in SimpleHelp RMM software to gain initial access, establish persistent remote access, and potentially deploy ransomware. The vulnerabilities allow attackers to create administrator accounts, drop backdoors, and execute various discovery commands. Field Effect has observed the attack TTPs that are similar to Akira Ransomware group, but does not assess with high confidence because they could be adopted by other threat actors

Multiple threat actors are actively exploiting vulnerabilities in SimpleHelp’s Remote Monitoring and Management (RMM) software to infiltrate networks and deploy malware, including the Sliver backdoor and ransomware. The vulnerabilities, tracked as CVE-2024-NNNN, allow attackers to gain initial access and maintain persistent remote access to targeted systems. Field Effect has released an analysis detailing the exploitation techniques observed in these attacks.

Multiple reports detail a wave of cyber incidents, showcasing the diverse range of attacks. A vulnerability in SimpleHelp RMM tools may have led to healthcare data breaches. A widespread campaign uses the TorNet backdoor deployed by PureCrypter malware. There is also a rise in OAuth redirect flaws in airline travel integration systems. Additionally, many Wordpress websites were found to be delivering both MacOS and Microsoft malware. These incidents highlight the growing sophistication and reach of cyber threats across various platforms and industries.

Multiple critical vulnerabilities have been discovered in SimpleHelp remote support software. These flaws include unauthorized file access, privilege escalation, and remote code execution. These vulnerabilities are trivial to exploit, making them a serious risk for both SimpleHelp servers and the client machines that the software is used to manage. Patches are available, and users are advised to upgrade immediately.