A severe authentication bypass vulnerability (CVE-2026-48558) has been disclosed in SimpleHelp, a remote management and support application commonly utilized by enterprises and MSPs. Discovered via Horizon3.ai’s autonomous research pipeline “Sua Sponte,” the vulnerability stems from a total failure to verify the cryptographic signatures of OpenID Connect (OIDC) identity tokens. This allows remote, unauthenticated threat actors to forge tokens and gain full administrative (“Technician”) privileges over exposed servers, bypassing MFA under certain conditions. Given that roughly 14,000 SimpleHelp instances are currently exposed to the internet with approximately 7.2% utilizing the vulnerable OIDC configuration – immediate patching or mitigation is highly recommended.
Severity: High
Threat Actor Profile
- Actor Name: DragonForce
- Actor Structure: Recently transitioned from a standard Ransomware-as-a-Service (RaaS) model to a highly organized, formalized cartel structure.
- Affected Sectors: BFSI, Manufacturing, Construction, Technology, Healthcare, and others.
- Affected Regions: Argentina, Australia, China, Singapore, South Africa, Switzerland, United Kingdom, United States, Germany, Canada, Italy.
Attack Chain
1. Initial Access & Execution
- Vector: Exploitation of an exposed SQL or MSSQL server (specific vulnerability unknown); potentially procured via an Initial Access Broker (IAB). Initial activity began in December 2025.
- First-Stage Execution: Operators executed a PowerShell command line to fetch a stage-1 archive over plain HTTP, masquerading as a technical support hotfix (TechSupV18Fix3.zip).
2. Persistence & Privilege Escalation
- DLL Sideloading: The malicious archive contained a legitimate, signed VirtualBox/DbgView executable. Threat actors’ side-loaded a malicious DLL (vboxrt.dll), inheriting the trusted process’s high privileges and bypassing security monitoring.
- System Reconfiguration:
- Flipped the LimitBlankPasswordUse configuration to allow passwordless network logons.
- Added local users/groups and modified host firewall rules to guarantee unhindered C2 communication.
- Late-Stage Persistence: Backdoor.Turn was injected into DbgView64.exe post-ransomware detonation to maintain long-term access, potentially for reinfiltration or access resale.
3. Defense Evasion: Bring Your Own Vulnerable Driver (BYOVD)
The group used four separate vulnerable driver exploits plus one custom malicious driver:
| Driver | Method | CVE |
| Huawei HWAuidoOs2Ec.sys | “Havoc Process Terminator” — novel, not previously known exploited | N/A (documented Mar 2026) |
| Topaz Antifraud wsftprm.sys | BYOVD | CVE-2023-52271 |
| Tower of Fantasy Gamedriverx64.sys | BYOVD | CVE-2025-61155 |
| K7 Security K7RKScan.sys | BYOVD | CVE-2025-1055 |
| ABYSSWORKER | Custom malicious driver masquerading as a Palo Alto component | — |
4. Command & Control (C2): Backdoor.Turn Mechanisms
Inspired by the “Ghost Calls” technique presented at Black Hat 2025, Backdoor.Turn circumvents traditional network profiling:
- Token Acquisition: The malware requests an anonymous visitor authentication token from the Microsoft Teams/Skype identity services backend.
- Traffic Relaying: It uses the token to connect through legitimate Microsoft TURN relay servers.
- Session Establishment: Once the relay connection is established, it initiates a direct QUIC session to the attacker’s actual C2 server. Network defenders only observe legitimate outbound connections to Microsoft Teams infrastructure.
Recommendations
- Alert on QUIC (UDP 443) connections originating from non-browser, non-Teams processes – especially injected processes like DbgView64.exe
- Audit all internet-facing SQL and MSSQL instances – remove unnecessary exposure immediately. Apply latest patches and enforce strong authentication with MFA on all database management interfaces.
- Restrict SQL Server Agent and xp_cmdshell; disable features not in use.
- Add all identified vulnerable drivers to your WDAC (Windows Defender Application Control).
- Enable Microsoft’s Vulnerable Driver Blocklist via HVCI (Hypervisor-Protected Code Integrity)
- Alert on DbgView64.exe making network connections or spawning child processes. It should do neither in normal operation.
- Alert on changes to LimitBlankPasswordUse registry key this is a direct IOC from this campaign.
- Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/c0bb927d1d7c42acf20ecdbbeadf1134b1062b5af2884ce484a214ba139150fe/iocs
Source:
- https://www.security.com/threat-intelligence/dragonforce-msteams-backdoor
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.
