DragonForce ransomware operators exploited vulnerabilities in the SimpleHelp remote monitoring and management (RMM) tool to breach Managed Service Providers (MSPs) and their downstream clients. By leveraging compromised SimpleHelp instances, attackers deployed ransomware, stole data, and enacted double extortion tactics.
The campaign showcases a textbook example of a supply chain compromise, where one compromised MSP became the attack vector into numerous client environments.
Severity Level: High
THREAT OVERVIEW:
- Threat Actor:
- DragonForce – A Ransomware-as-a-Service (RaaS) operation first observed in mid-2023, now rebranded as a “cartel” with a distributed affiliate model. Linked to affiliates such as Scattered Spider (UNC3944).
- Initial Access Vector: Weaponized SimpleHelp instances compromised through unpatched vulnerabilities.
- Exploited Vulnerabilities:
- CVE-2024-57726 – Privilege Escalation
- CVE-2024-57727 – Path Traversal
- CVE-2024-57728 – Arbitrary File Upload
- Malicious installer file was deployed to multiple endpoints using the SimpleHelp RMM.
- Attacker used the RMM console to:
- Enumerate devices.
- Harvest configurations and user information.
- Map network relationships within client environments.
- Gained elevated access by exploiting CVE-2024-57726, allowing deeper control over client networks.
- Exfiltrated sensitive customer and MSP data before launching ransomware. Part of a double extortion strategy to pressure victims into payment.
- Deployed ransomware on endpoints across several MSP-managed environments.
MITRE ATT&CK:
| Tactic | Technique | ID | Details |
| Initial Access | Exploit Public-Facing Application | T1190 | Exploited SimpleHelp RMM vulnerabilities (CVE-2024-57726/57727/57728) |
| Persistence | Remote Services | T1021.001 | Used SimpleHelp RMM for persistent remote access across MSP networks |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 | Gained elevated permissions via CVE-2024-57726 |
| Defense Evasion | Valid Accounts | T1078 | Used legitimate RMM operator accounts for stealth |
| Credential Access | Credential Dumping | T1003 | Potential enumeration and access to stored credentials via RMM |
| Discovery | System Network Connections Discovery | T1049 | Collected network topology, devices, and users from MSP consoles |
| Lateral Movement | Remote Services: RMM | T1021.001 | Moved laterally using RMM to access multiple client endpoints |
| Collection | Data from Information Repositories | T1213 | Gathered sensitive data from managed networks before ransomware deployment |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Stolen data was exfiltrated prior to encryption as part of double extortion |
| Impact | Data Encrypted for Impact | T1486 | Encrypted files and systems across victims’ networks |
Recommendations:
- Apply security updates for affected SimpleHelp installations immediately.
- Restrict external access to SimpleHelp and other RMM tools using IP whitelisting and VPN requirements.
- Enforce MFA for all RMM interfaces and administrative logins.
- Educate MSP personnel and IT administrators on:
• Indicators of RMM abuse
• Social engineering tactics leading to credential theft - Establish third-party risk management policies that enforce:
• Regular security assessments of MSP and vendor tools
• Formal SLAs on patch timelines and incident response - Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/83e6c8940cf934ca5d8c2910f13b755ba9905775df6ad01c73018b18290d33e7/iocs
Source:
- https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.