Anna Ribeiro@Industrial Cyber
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding ransomware actors exploiting unpatched instances of SimpleHelp Remote Monitoring and Management (RMM) software. These attacks target customers of utility billing software providers, leveraging a vulnerability to gain unauthorized access. According to a report by The Register, the exploitation involves CVE-2024-57727, a high-severity path traversal vulnerability affecting SimpleHelp versions 5.5.7 and earlier. The attacks, ongoing since January 2025, have led to service disruptions and double extortion incidents, where sensitive data is stolen and systems are encrypted.
CISA's advisory follows reports of the DragonForce ransomware group breaching a managed service provider (MSP) and using its SimpleHelp RMM platform to infiltrate downstream customers. Sophos attributes the breach to a string of known SimpleHelp vulnerabilities, including CVE-2024-57726 through CVE-2024-57728. Once inside, DragonForce actors conducted network reconnaissance, leading to ransomware deployment and data exfiltration. The Register reported that SimpleHelp patched the flaw in January, but many organizations have not applied the update, leaving them vulnerable to exploitation. CISA urges organizations using SimpleHelp RMM to immediately patch their systems, conduct thorough threat hunting, and monitor network traffic for any unusual activity. This is crucial to mitigate the risk of compromise and prevent further disruptions. ConnectWise has also issued warnings, advising users of ScreenConnect and Automate to update to the latest build and validate agent updates to avoid disruptions. The attacks highlight the broader trend of ransomware actors targeting the supply chain, emphasizing the importance of proactive security measures and timely patching. References :
Classification:
Pradeep Bairaboina@Tech Monitor
//
The Play ransomware group has been actively targeting organizations worldwide since June 2022, with the FBI reporting that approximately 900 entities have been compromised as of May 2025. These attacks span across North America, South America, and Europe, targeting a diverse range of businesses and critical infrastructure. The group employs a "double extortion" tactic, exfiltrating sensitive data before encrypting systems, putting additional pressure on victims to pay the ransom.
The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) have issued updated advisories regarding the Play ransomware, highlighting new tactics, techniques, and procedures (TTPs) employed by the group. One notable tactic includes exploiting vulnerabilities in the SimpleHelp remote access tool. Specifically, multiple ransomware groups, including those affiliated with Play, have been actively targeting the CVE-2024-57727 path traversal vulnerability, which allows attackers to download arbitrary files from the SimpleHelp server. The advisories also note that Play operators regularly contact victims via phone, threatening to release stolen data if ransom demands are not met. To mitigate the threat posed by Play ransomware, authorities recommend several proactive security measures, including implementing multifactor authentication, maintaining offline data backups, and developing and testing a recovery plan. It is also critical to keep all operating systems, software, and firmware updated to patch known vulnerabilities. SimpleHelp has released security updates to address the exploited vulnerabilities and strongly urges customers to apply these fixes immediately. While Play ransomware has been linked to attacks on critical infrastructure, including nine attacks impacting healthcare, experts recommend constant vigilance and proactive security strategies across all sectors. References :
Classification:
@www.bleepingcomputer.com
//
DragonForce ransomware group has been actively exploiting vulnerabilities in SimpleHelp, a remote monitoring and management (RMM) software, to target managed service providers (MSPs) and their customers. This attack serves as a stark reminder of the supply chain risks inherent in relying on third-party software, particularly RMM tools which, if compromised, can grant attackers widespread access to numerous client systems. Sophos researchers uncovered that the DragonForce operator chained three specific SimpleHelp flaws, identified as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, to breach an MSP. This breach resulted in data theft and the subsequent deployment of ransomware across the MSP's customer endpoints, causing significant disruption and potential financial losses.
The vulnerabilities exploited by DragonForce allowed the attackers to perform several malicious actions. CVE-2024-57727 enabled unauthorized remote attackers to download arbitrary files, including server configuration files containing sensitive secrets and hashed user passwords. CVE-2024-57728 permitted admin users to upload arbitrary files, leading to potential arbitrary code execution on the host. Furthermore, CVE-2024-57726 allowed low-privilege technicians to create API keys with excessive permissions, potentially enabling them to escalate privileges to the server administrator role. All of these vulnerabilities were present in SimpleHelp's remote support software version 5.5.7 and earlier, highlighting the critical importance of promptly applying security patches. The DragonForce attack on the MSP via SimpleHelp illustrates a growing trend of cybercriminals targeting RMM and other remote tools to facilitate software supply chain attacks. By compromising a single MSP, attackers can gain access to a large number of downstream customers, amplifying the impact of their attacks. Security experts warn that MSPs must prioritize the security of their RMM software, including implementing robust patch management processes and closely monitoring for suspicious activity. This incident underscores the need for a proactive and vigilant approach to cybersecurity to mitigate the risk of ransomware and other threats exploiting channel vulnerabilities. References :
Classification:
|