SimpleHelp RMM Flaws: A Ransomware Attack Vector

Threat Actors Exploit Vulnerabilities in SimpleHelp’s Remote Monitoring and Management (RMM) Software

February 7, 2025

By Ravie Lakshmanan

Threat actors have been observed exploiting recently disclosed security flaws in SimpleHelp’s Remote Monitoring and Management (RMM) software as a precursor for what appears to be a ransomware attack.

The Intrusion

The intrusion leveraged the now-patched vulnerabilities to gain initial access and maintain persistent remote access to an unspecified target network, according to cybersecurity company Field Effect.

Post-Exploitation Tactics

The attack involved the quick and deliberate execution of several post-compromise tactics, techniques, and procedures (TTPs) including network and system discovery, administrator account creation, and the establishment of persistence mechanisms, which could have led to the deployment of ransomware.

Exploited Vulnerabilities

The vulnerabilities in question, CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, were disclosed by Horizon3.ai last month. Successful exploitation of the security holes could allow for information disclosure, privilege escalation, and remote code execution.

Patched Versions

They have since been addressed in SimpleHelp versions 5.3.9, 5.4.10, and 5.5.8 released on January 8 and 13, 2025.

Campaign Observed

Arctic Wolf said it observed a campaign that involved obtaining unauthorized access to devices running SimpleHelp remote desktop software as an initial access vector.

Active Exploitation

While it was unclear at that time if these vulnerabilities were put to use, the latest findings from Field Effect all but confirm that they are being actively weaponized as part of ransomware attack chains.

Incident Analysis

In the incident analyzed by the Canadian cybersecurity company, the initial access was gained to a targeted endpoint via a vulnerable SimpleHelp RMM instance ("194.76.227[.]171") located in Estonia.

Post-Exploitation Actions

Upon establishing a remote connection, the threat actor has been observed performing a series of post-exploitation actions, including reconnaissance and discovery operations, as well as creating an administrator account named "sqladmin" to facilitate the deployment of the open-source Sliver framework.

Persistence and Lateral Movement

The persistence offered by Sliver was subsequently abused to move laterally across the network, establishing a connection between the domain controller (DC) and the vulnerable SimpleHelp RMM client and ultimately installing a Cloudflare tunnel to stealthily route traffic to servers under the attacker’s control through the web infrastructure company’s infrastructure.

Detection and Isolation

Field Effect said the attack was detected at this stage, preventing the attempted tunnel execution from taking place and isolating the system from the network to ensure further compromise.

Ransomware Payload

In the event the event was not flagged, the Cloudflare tunnel could have served as a conduit for retrieving additional payloads, including ransomware.

Similarity to Akira Ransomware Attacks

The tactics overlap with that of Akira ransomware attacks previously reported in May 2023, although it’s also possible other threat actors have adopted the tradecraft.

Conclusion

This campaign demonstrates just one example of how threat actors are actively exploiting SimpleHelp RMM vulnerabilities to gain unauthorized persistent access to networks of interest. Organizations with exposure to these vulnerabilities must update their RMM clients as soon as possible and consider adopting a cybersecurity solution to defend against threats.

Rise in ScreenConnect RMM Software Use

The development comes as Silent Push revealed that it’s seeing a rise in the use of the ScreenConnect RMM software on bulletproof hosts as a way for threat actors to gain access and control victim endpoints.

Social Engineering

Potential attackers have been using social engineering to lure victims into installing legitimate software copies configured to operate under the threat actor’s control. Once installed, the attackers use the altered installer to quickly gain access to the victim’s files.

Follow Us

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.