@www.bleepingcomputer.com
//
Hackers are actively exploiting vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to compromise systems and potentially deploy ransomware. Cybersecurity firm Field Effect has confirmed these exploits and released a report detailing the post-exploitation activity. The vulnerabilities, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow attackers to create administrator accounts and drop backdoors, laying the groundwork for further malicious activities.
Field Effect identified a breach where threat actors exploited these vulnerabilities in the SimpleHelp RMM client to infiltrate a targeted network. Following initial access, attackers execute discovery commands to gather system and network data. They then establish persistence by creating new administrator accounts and deploying the Sliver malware, a post-exploitation framework gaining popularity as a Cobalt Strike alternative. Once deployed, Sliver waits for further commands, enabling attackers to compromise the domain controller and potentially distribute malicious software. Recommended read:
References :
@ciso2ciso.com
//
A series of cyber incidents have been reported, highlighting the evolving nature of online threats. A concerning trend involves a sophisticated phishing campaign targeting users in Poland and Germany, using PureCrypter malware to deliver multiple payloads, including Agent Tesla and Snake Keylogger, as well as a novel backdoor called TorNet. This TorNet backdoor employs advanced detection evasion tactics, requiring immediate and proactive defense measures. The campaign, which has been active since at least mid-summer 2024, indicates financially motivated threat actors behind the attacks. Security tools are available with threat intelligence to assist in detecting and preventing such intrusions.
Multiple additional vulnerabilities have been discovered, including over 10,000 WordPress websites unknowingly delivering MacOS and Windows malware through fake Google browser update pages. This cross-platform malware attack is notable as it delivers AMOS for Apple users and SocGholish for Windows users, and is the first time these variants have been delivered through a client-side attack. Moreover, an OAuth redirect flaw in an airline travel integration system has exposed millions of users to account hijacking. By manipulating parameters within the login process, attackers can redirect authentication responses, gain unauthorized access to user accounts, and perform actions like booking hotels and car rentals. These incidents underscore the importance of constant vigilance and robust security measures across all platforms. Recommended read:
References :
@www.bleepingcomputer.com
//
Cybersecurity firms have reported a surge in active exploitation of vulnerabilities within SimpleHelp's Remote Monitoring and Management (RMM) software. These vulnerabilities, identified as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, are being leveraged by threat actors to infiltrate networks. The attacks begin with connecting to the endpoint via the vulnerable SimpleHelp RMM client, followed by the execution of several discovery commands obtaining system and network data.
Threat actors are using this access to deploy malware, including the Sliver backdoor, and establish persistent remote access. Field Effect security intelligence observed threat actors exploiting SimpleHelp RMM vulnerabilities to deploy Sliver backdoor and encrypted tunnels. Attackers then proceeded to use the same SimpleHelp RMM client and another admin account to compromise the domain controller and distribute a Windows svchost.exe-spoofing Cloudflare Tunnel for covert compromise. Immediate remediation of flawed SimpleHelp RMM clients has been urged. Recommended read:
References :
@www.horizon3.ai
//
References:
The Hacker News
, www.horizon3.ai
,
Multiple critical vulnerabilities have been discovered in SimpleHelp remote support software, posing significant risks to both servers and client machines. The flaws, identified by Horizon3.ai, include an unauthenticated path traversal vulnerability, allowing attackers to download arbitrary files, including sensitive server configuration files containing hashed passwords. Additionally, an arbitrary file upload vulnerability can lead to remote code execution for attackers with SimpleHelpAdmin or technician admin privileges. A third vulnerability allows low-privilege technicians to escalate to admin level by exploiting missing authorization checks.
Cybersecurity experts warn that these vulnerabilities are trivial to exploit and could be chained together to take complete control of the SimpleHelp server. The security flaws, now assigned CVE-2024-57727, CVE-2024-57728 and CVE-2024-57726, have been addressed in SimpleHelp versions 5.3.9, 5.4.10, and 5.5.8. Users are urged to update their software immediately and take additional security measures, including changing administrator passwords, rotating technician account passwords, and restricting login IPs. The vulnerabilities underscore the importance of patching quickly, as remote access tools are frequently targeted by threat actors. Recommended read:
References :
|