Threat actors have been observed exploiting recently disclosed security flaws in SimpleHelp’s Remote Monitoring and Management (RMM) software as a precursor for what appears to be a ransomware attack.
The intrusion leveraged the now-patched vulnerabilities to gain initial access and maintain persistent remote access to an unspecified target network, cybersecurity company Field Effect said in a report shared with The Hacker News.
“The attack involved the quick and deliberate execution of several post-compromise tactics, techniques and procedures (TTPs) including network and system discovery, administrator account creation, and the establishment of persistence mechanisms, which could have led to the deployment of ransomware,” security researchers Ryan Slaney and Daniel Albrecht said.
The vulnerabilities in question, CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, were disclosed by Horizon3.ai last month. Successful exploitation of the security holes could allow for information disclosure, privilege escalation, and remote code execution.
They have since been addressed in SimpleHelp versions 5.3.9, 5.4.10, and 5.5.8 released on January 8 and 13, 2025.
Merely weeks later, Arctic Wolf said it observed a campaign that involved obtaining unauthorized access to devices running SimpleHelp remote desktop software as an initial access vector.
While it was unclear at that time if these vulnerabilities were put to use, the latest findings from Field Effect all but confirm that they are being actively weaponized as part of ransomware attack chains.
In the incident analyzed by the Canadian cybersecurity company, the initial access was gained to a targeted endpoint via a vulnerable SimpleHelp RMM instance (“194.76.227[.]171”) located in Estonia.
Upon establishing a remote connection, the threat actor has been observed performing a series of post-exploitation actions, including reconnaissance and discovery operations, as well as creating an administrator account named “sqladmin” to facilitate the deployment of the open-source Sliver framework.
The persistence offered by Sliver was subsequently abused to move laterally across the network, establishing a connection between the domain controller (DC) and the vulnerable SimpleHelp RMM client and ultimately installing a Cloudflare tunnel to stealthily route traffic to servers under the attacker’s control through the web infrastructure company’s infrastructure.
Field Effect said the attack was detected at this stage, preventing the attempted tunnel execution from taking place and isolating the system from the network to ensure further compromise.
In the event the event was not flagged, the Cloudflare tunnel could have served as a conduit for retrieving additional payloads, including ransomware. The company said the tactics overlap with that of Akira ransomware attacks previously reported in May 2023, although it’s also possible other threat actors have adopted the tradecraft.
“This campaign demonstrates just one example of how threat actors are actively exploiting SimpleHelp RMM vulnerabilities to gain unauthorized persistent access to networks of interest,” the researchers said. “Organizations with exposure to these vulnerabilities must update their RMM clients as soon as possible and consider adopting a cybersecurity solution to defend against threats.”
The development comes as Silent Push revealed that it’s seeing a rise in the use of the ScreenConnect RMM software on bulletproof hosts as a way for threat actors to gain access and control victim endpoints.
“Potential attackers have been using social engineering to lure victims into installing legitimate software copies configured to operate under the threat actor’s control,” the company said. “Once installed, the attackers use the altered installer to quickly gain access to the victim’s files.”
