Dragonforce Exploits Simplehelp To Breach Msp Ecosystems

Published Date: May 28, 2025

Category: ShadowOpsIntel

DragonForce ransomware operators exploited vulnerabilities in the SimpleHelp remote monitoring and management (RMM) tool to breach Managed Service Providers (MSPs) and their downstream clients. By leveraging compromised SimpleHelp instances, attackers deployed ransomware, stole data, and enacted double extortion tactics.

The campaign showcases a textbook example of a supply chain compromise, where one compromised MSP became the attack vector into numerous client environments.

Severity Level: High

THREAT OVERVIEW:

Threat Actor:
- DragonForce – A Ransomware-as-a-Service (RaaS) operation first observed in mid-2023, now rebranded as a “cartel” with a distributed affiliate model. Linked to affiliates such as Scattered Spider (UNC3944).
Initial Access Vector: Weaponized SimpleHelp instances compromised through unpatched vulnerabilities.
Exploited Vulnerabilities:
- CVE-2024-57726 – Privilege Escalation
- CVE-2024-57727 – Path Traversal
- CVE-2024-57728 – Arbitrary File Upload
Malicious installer file was deployed to multiple endpoints using the SimpleHelp RMM.
Attacker used the RMM console to:
- Enumerate devices.
- Harvest configurations and user information.
- Map network relationships within client environments.
Gained elevated access by exploiting CVE-2024-57726, allowing deeper control over client networks.
Exfiltrated sensitive customer and MSP data before launching ransomware. Part of a double extortion strategy to pressure victims into payment.
Deployed ransomware on endpoints across several MSP-managed environments.

MITRE ATT&CK:

Tactic	Technique	ID	Details
Initial Access	Exploit Public-Facing Application	T1190	Exploited SimpleHelp RMM vulnerabilities (CVE-2024-57726/57727/57728)
Persistence	Remote Services	T1021.001	Used SimpleHelp RMM for persistent remote access across MSP networks
Privilege Escalation	Exploitation for Privilege Escalation	T1068	Gained elevated permissions via CVE-2024-57726
Defense Evasion	Valid Accounts	T1078	Used legitimate RMM operator accounts for stealth
Credential Access	Credential Dumping	T1003	Potential enumeration and access to stored credentials via RMM
Discovery	System Network Connections Discovery	T1049	Collected network topology, devices, and users from MSP consoles
Lateral Movement	Remote Services: RMM	T1021.001	Moved laterally using RMM to access multiple client endpoints
Collection	Data from Information Repositories	T1213	Gathered sensitive data from managed networks before ransomware deployment
Exfiltration	Exfiltration Over C2 Channel	T1041	Stolen data was exfiltrated prior to encryption as part of double extortion
Impact	Data Encrypted for Impact	T1486	Encrypted files and systems across victims’ networks

Recommendations:

Apply security updates for affected SimpleHelp installations immediately.
Restrict external access to SimpleHelp and other RMM tools using IP whitelisting and VPN requirements.
Enforce MFA for all RMM interfaces and administrative logins.
Educate MSP personnel and IT administrators on:
• Indicators of RMM abuse
• Social engineering tactics leading to credential theft
Establish third-party risk management policies that enforce:
• Regular security assessments of MSP and vendor tools
• Formal SLAs on patch timelines and incident response
Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/83e6c8940cf934ca5d8c2910f13b755ba9905775df6ad01c73018b18290d33e7/iocs

Source:

https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.