CyberSecurity news

FlagThis - #simplehelp

Anna Ribeiro@Industrial Cyber //
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding ransomware actors exploiting unpatched instances of SimpleHelp Remote Monitoring and Management (RMM) software. These attacks target customers of utility billing software providers, leveraging a vulnerability to gain unauthorized access. According to a report by The Register, the exploitation involves CVE-2024-57727, a high-severity path traversal vulnerability affecting SimpleHelp versions 5.5.7 and earlier. The attacks, ongoing since January 2025, have led to service disruptions and double extortion incidents, where sensitive data is stolen and systems are encrypted.

CISA's advisory follows reports of the DragonForce ransomware group breaching a managed service provider (MSP) and using its SimpleHelp RMM platform to infiltrate downstream customers. Sophos attributes the breach to a string of known SimpleHelp vulnerabilities, including CVE-2024-57726 through CVE-2024-57728. Once inside, DragonForce actors conducted network reconnaissance, leading to ransomware deployment and data exfiltration. The Register reported that SimpleHelp patched the flaw in January, but many organizations have not applied the update, leaving them vulnerable to exploitation.

CISA urges organizations using SimpleHelp RMM to immediately patch their systems, conduct thorough threat hunting, and monitor network traffic for any unusual activity. This is crucial to mitigate the risk of compromise and prevent further disruptions. ConnectWise has also issued warnings, advising users of ScreenConnect and Automate to update to the latest build and validate agent updates to avoid disruptions. The attacks highlight the broader trend of ransomware actors targeting the supply chain, emphasizing the importance of proactive security measures and timely patching.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • seceon.com: In a recent report by BleepingComputer, DragonForce—a rapidly rising ransomware group—breached a managed service provider (MSP) and leveraged its SimpleHelp remote monitoring and management (RMM) platform to infiltrate downstream customers.
  • go.theregister.com: The Register reports Ransomware scum disrupted utility services with SimpleHelp attacks
  • The Register: Ransomware scum disrupted utility services with SimpleHelp attacks
  • The Register - Security: Ransomware scum disrupted utility services with SimpleHelp attacks
  • arcticwolf.com: Arctic Wolf Observes Campaign Exploiting SimpleHelp RMM Software for Initial Access
  • health-isac.org: Threat Bulletin: SimpleHelp RMM Software Leveraged in Exploitation Attempt to Breach Networks
  • ciso2ciso.com: Ransomware Gang Exploits SimpleHelp RMM to Compromise Utility Billing Firm – Source: www.infosecurity-magazine.com
  • Industrial Cyber: CISA flags exploitation of SimpleHelp RMM vulnerability in ransomware attacks since January
  • Daily CyberSecurity: Urgent CISA Alert: Ransomware Actors Exploiting SimpleHelp RMM Flaw (CVE-2024-57727)
  • thehackernews.com: Ransomware Actors Exploit Unpatched SimpleHelp Flaws to Target Victims with Double Extortion
  • www.cybersecuritydive.com: CISA warns of supply chain risks as ransomware attacks exploit SimpleHelp flaws
  • Resources-2: Ransomware Actors Exploit CVE-2024-57727 in Unpatched SimpleHelp RMM
  • www.scworld.com: CISA: Utility billing provider customers compromised via SimpleHelp exploit
  • Tech Monitor: CISA warns of ransomware exploiting unpatched SimpleHelp RMM vulnerabilities, targeting a utility billing software firm's customers since January.
  • SOC Prime Blog: Detect SimpleHelp RMM Vulnerability Exploitation: CISA Warns of Threat Actors Abusing Unpatched Flaws for Persistent Access and Ransomware Deployment
  • industrialcyber.co: CISA flags exploitation of SimpleHelp RMM vulnerability in ransomware attacks since January
  • socprime.com: Detect SimpleHelp RMM Vulnerability Exploitation: CISA Warns of Threat Actors Abusing Unpatched Flaws for Persistent Access and Ransomware Deployment
  • www.cybersecuritydive.com: CISA warns of supply chain risks as ransomware attacks exploit SimpleHelp flaws
Classification:
  • HashTags: #Ransomware #SimpleHelp #CISA
  • Company: ConnectWise
  • Target: Utility billing software providers and customers
  • Product: SimpleHelp RMM
  • Feature: RMM Exploitation
  • Malware: CVE-2024-57727
  • Type: Ransomware
  • Severity: Major
Pradeep Bairaboina@Tech Monitor //
The Play ransomware group has been actively targeting organizations worldwide since June 2022, with the FBI reporting that approximately 900 entities have been compromised as of May 2025. These attacks span across North America, South America, and Europe, targeting a diverse range of businesses and critical infrastructure. The group employs a "double extortion" tactic, exfiltrating sensitive data before encrypting systems, putting additional pressure on victims to pay the ransom.

The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) have issued updated advisories regarding the Play ransomware, highlighting new tactics, techniques, and procedures (TTPs) employed by the group. One notable tactic includes exploiting vulnerabilities in the SimpleHelp remote access tool. Specifically, multiple ransomware groups, including those affiliated with Play, have been actively targeting the CVE-2024-57727 path traversal vulnerability, which allows attackers to download arbitrary files from the SimpleHelp server. The advisories also note that Play operators regularly contact victims via phone, threatening to release stolen data if ransom demands are not met.

To mitigate the threat posed by Play ransomware, authorities recommend several proactive security measures, including implementing multifactor authentication, maintaining offline data backups, and developing and testing a recovery plan. It is also critical to keep all operating systems, software, and firmware updated to patch known vulnerabilities. SimpleHelp has released security updates to address the exploited vulnerabilities and strongly urges customers to apply these fixes immediately. While Play ransomware has been linked to attacks on critical infrastructure, including nine attacks impacting healthcare, experts recommend constant vigilance and proactive security strategies across all sectors.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • cyberinsider.com: FBI: Play Ransomware Breached 900 Organizations Worldwide
  • DataBreaches.Net: CISA Alert: Updated Guidance on Play Ransomware
  • The Register - Security: Play ransomware crims exploit SimpleHelp flaw in double-extortion schemes
  • Tech Monitor: The FBI reports Play ransomware breached 900 firms by May 2025, up from October 2023, using recompiled malware and phone threats for ransoms.
  • www.cybersecuritydive.com: The hacker group has breached hundreds of organizations and is working with others to exploit flaws in a popular remote support tool.
  • CyberInsider: FBI: Play Ransomware Breached 900 Organizations Worldwide
  • securityaffairs.com: Play ransomware group hit 900 organizations since 2022
  • www.techradar.com: FBI warns Play ransomware hackers have hit nearly a thousand US firms
  • www.cybersecuritydive.com: Understanding the evolving malware and ransomware threat landscape
Classification:
@www.bleepingcomputer.com //
DragonForce ransomware group has been actively exploiting vulnerabilities in SimpleHelp, a remote monitoring and management (RMM) software, to target managed service providers (MSPs) and their customers. This attack serves as a stark reminder of the supply chain risks inherent in relying on third-party software, particularly RMM tools which, if compromised, can grant attackers widespread access to numerous client systems. Sophos researchers uncovered that the DragonForce operator chained three specific SimpleHelp flaws, identified as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, to breach an MSP. This breach resulted in data theft and the subsequent deployment of ransomware across the MSP's customer endpoints, causing significant disruption and potential financial losses.

The vulnerabilities exploited by DragonForce allowed the attackers to perform several malicious actions. CVE-2024-57727 enabled unauthorized remote attackers to download arbitrary files, including server configuration files containing sensitive secrets and hashed user passwords. CVE-2024-57728 permitted admin users to upload arbitrary files, leading to potential arbitrary code execution on the host. Furthermore, CVE-2024-57726 allowed low-privilege technicians to create API keys with excessive permissions, potentially enabling them to escalate privileges to the server administrator role. All of these vulnerabilities were present in SimpleHelp's remote support software version 5.5.7 and earlier, highlighting the critical importance of promptly applying security patches.

The DragonForce attack on the MSP via SimpleHelp illustrates a growing trend of cybercriminals targeting RMM and other remote tools to facilitate software supply chain attacks. By compromising a single MSP, attackers can gain access to a large number of downstream customers, amplifying the impact of their attacks. Security experts warn that MSPs must prioritize the security of their RMM software, including implementing robust patch management processes and closely monitoring for suspicious activity. This incident underscores the need for a proactive and vigilant approach to cybersecurity to mitigate the risk of ransomware and other threats exploiting channel vulnerabilities.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Sophos News: Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer’s network
  • bsky.app: The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
  • securityaffairs.com: Sophos researchers reported that a DragonForce ransomware operator exploited three chained vulnerabilities in SimpleHelp software to attack a managed service provider. SimpleHelp is a remote support and access software designed for IT professionals and support teams. It provides a streamlined way for IT teams to manage and monitor remote systems, making it a valuable tool for MSPs. However, the vulnerabilities exploited by DragonForce highlight the importance of keeping RMM software patched and up to date, as these tools can become attack vectors for ransomware and other threats.
  • www.bleepingcomputer.com: The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
  • BleepingComputer: DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
  • BleepingComputer: DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
  • The Register - Security: Updated DragonForce ransomware infected a managed service provider, and its customers, after attackers exploited security flaws in remote monitoring and management tool SimpleHelp.…
  • www.helpnetsecurity.com: Attackers hit MSP, use its RMM software to deliver ransomware to clients
  • Help Net Security: Attackers hit MSP, use its RMM software to deliver ransomware to clients
  • www.techradar.com: DragonForce ransomware hacks SimpleHelp RMM tool to attack MSPs
  • ciso2ciso.com: DragonForce double-whammy: First hit an MSP, then use RMM software to push ransomware – Source: go.theregister.com
  • Anonymous ???????? :af:: The ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data
  • MicroScope: Sophos warns MSPs over DragonForce threat
  • Daily CyberSecurity: Details of RMM tool abused to spread DragonForce.
  • MSSP feed for Latest: The bad actors exploited flaws in SimpleHelp's software to compromise the MSP and attack clients.
  • thehackernews.com: DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints
  • Tech Monitor: DragonForce exploits SimpleHelp in MSP breach
  • www.bleepingcomputer.com: DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
  • ciso2ciso.com: DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints – Source:thehackernews.com
  • Security Risk Advisors: Sophos Investigates DragonForce Ransomware Attack Exploiting SimpleHelp RMM Vulnerabilities Against MSP
  • www.sentinelone.com: Robbinhood operator pleads guilty, PumaBot hits IoT via SSH brute-force attacks, and DragonForce expands RMM exploits via an affiliate model.
  • ciso2ciso.com: DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints – Source:thehackernews.com
  • news.sophos.com: Sophos Investigates DragonForce Ransomware Attack Exploiting SimpleHelp RMM Vulnerabilities Against MSP
Classification: