CyberSecurity news

FlagThis - #SimpleHelp

@www.bleepingcomputer.com //
Cybersecurity firms have reported a surge in active exploitation of vulnerabilities within SimpleHelp's Remote Monitoring and Management (RMM) software. These vulnerabilities, identified as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, are being leveraged by threat actors to infiltrate networks. The attacks begin with connecting to the endpoint via the vulnerable SimpleHelp RMM client, followed by the execution of several discovery commands obtaining system and network data.

Threat actors are using this access to deploy malware, including the Sliver backdoor, and establish persistent remote access. Field Effect security intelligence observed threat actors exploiting SimpleHelp RMM vulnerabilities to deploy Sliver backdoor and encrypted tunnels. Attackers then proceeded to use the same SimpleHelp RMM client and another admin account to compromise the domain controller and distribute a Windows svchost.exe-spoofing Cloudflare Tunnel for covert compromise. Immediate remediation of flawed SimpleHelp RMM clients has been urged.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Blog: Field Effect mitigates Not-So-SimpleHelp exploits enabling deployment of backdoors.
  • gbhackers.com: Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems
  • The Hacker News: Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware
  • www.scworld.com: Sliver malware spread via SimpleHelp RMM exploits
  • Security Risk Advisors: Threat actors exploiting #SimpleHelp RMM #vulnerabilities to deploy #ransomware
Classification:
  • HashTags: #SimpleHelp #RMM #VulnerabilityExploit
  • Company: SimpleHelp
  • Target: Organizations Using SimpleHelp
  • Product: SimpleHelp
  • Feature: RMM
  • Malware: Sliver
  • Type: Vulnerability
  • Severity: Major
@www.bleepingcomputer.com //
Hackers are actively exploiting vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to compromise systems and potentially deploy ransomware. Cybersecurity firm Field Effect has confirmed these exploits and released a report detailing the post-exploitation activity. The vulnerabilities, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow attackers to create administrator accounts and drop backdoors, laying the groundwork for further malicious activities.

Field Effect identified a breach where threat actors exploited these vulnerabilities in the SimpleHelp RMM client to infiltrate a targeted network. Following initial access, attackers execute discovery commands to gather system and network data. They then establish persistence by creating new administrator accounts and deploying the Sliver malware, a post-exploitation framework gaining popularity as a Cobalt Strike alternative. Once deployed, Sliver waits for further commands, enabling attackers to compromise the domain controller and potentially distribute malicious software.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Security Risk Advisors: Threat Actors Exploit SimpleHelp RMM Vulnerabilities to Deploy Ransomware
  • The Hacker News: The Hacker News - Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware
  • www.bleepingcomputer.com: Hackers are targeting vulnerable SimpleHelp RMM clients to create administrator accounts, drop backdoors, and potentially lay the groundwork for ransomware attacks.
  • Blog: Threat actors exploiting #SimpleHelp RMM #vulnerabilities to deploy #ransomware The post appeared first on .
  • www.scworld.com: Sliver malware spread via SimpleHelp RMM exploits
  • fieldeffect.com: Threat actors exploiting #SimpleHelp RMM #vulnerabilities to deploy #ransomware
  • gbhackers.com: Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems
  • gbhackers.com: Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems
Classification:
@ciso2ciso.com //
A series of cyber incidents have been reported, highlighting the evolving nature of online threats. A concerning trend involves a sophisticated phishing campaign targeting users in Poland and Germany, using PureCrypter malware to deliver multiple payloads, including Agent Tesla and Snake Keylogger, as well as a novel backdoor called TorNet. This TorNet backdoor employs advanced detection evasion tactics, requiring immediate and proactive defense measures. The campaign, which has been active since at least mid-summer 2024, indicates financially motivated threat actors behind the attacks. Security tools are available with threat intelligence to assist in detecting and preventing such intrusions.

Multiple additional vulnerabilities have been discovered, including over 10,000 WordPress websites unknowingly delivering MacOS and Windows malware through fake Google browser update pages. This cross-platform malware attack is notable as it delivers AMOS for Apple users and SocGholish for Windows users, and is the first time these variants have been delivered through a client-side attack. Moreover, an OAuth redirect flaw in an airline travel integration system has exposed millions of users to account hijacking. By manipulating parameters within the login process, attackers can redirect authentication responses, gain unauthorized access to user accounts, and perform actions like booking hotels and car rentals. These incidents underscore the importance of constant vigilance and robust security measures across all platforms.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • BleepingComputer: Hackers are believed to be exploiting recently fixed SimpleHelp Remote Monitoring and Management (RMM) software vulnerabilities to gain initial access to target networks.
  • securityaffairs.com: Attackers exploit SimpleHelp RMM software flaws for initial access.
  • Help Net Security: Attackers are leveraging vulnerabilities in SimpleHelp.
  • www.bleepingcomputer.com: Hackers are exploiting flaws in SimpleHelp RMM to breach networks
  • ciso2ciso.com: TorNet Backdoor Detection: An Ongoing Phishing Email Campaign Uses PureCrypter Malware to Drop Other Payloads – Source: socprime.com
  • cside.dev: 10,000 WordPress Websites Found Delivering MacOS and Microsoft Malware
  • The Hacker News: OAuth Redirect Flaw in Airline Travel Integration Exposes Millions to Account Hijacking
Classification: