Recherche : [CVE-2024-57727]

DragonForce actors target SimpleHelp vulnerabilities to attack MSP, customers – Sophos News https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/

28/05/2025 16:30:29

Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer’s network

Sophos MDR recently responded to a targeted attack involving a Managed Service Provider (MSP). In this incident, a threat actor gained access to the MSP’s remote monitoring and management (RMM) tool, SimpleHelp, and then used it to deploy DragonForce ransomware across multiple endpoints. The attackers also exfiltrated sensitive data, leveraging a double extortion tactic to pressure victims into paying the ransom.

Sophos MDR has medium confidence the threat actor exploited a chain of vulnerabilities that were released in January 2025:

CVE-2024-57727: Multiple path traversal vulnerabilities
CVE-2024-57728: Arbitrary file upload vulnerability
CVE-2024-57726: Privilege escalation vulnerability
DragonForce
DragonForce ransomware is an advanced and competitive ransomware-as-a-service (RaaS) brand that first emerged in mid-2023. As discussed in recent research from Sophos Counter Threat Unit (CTU), DragonForce began efforts in March to rebrand itself as a “cartel” and shift to a distributed affiliate branding model.

Coinciding with this effort to appeal to a wider range of affiliates, DragonForce recently garnered attention in the threat landscape for claiming to “take over” the infrastructure of RansomHub. Reports also suggest that well-known ransomware affiliates, including Scattered Spider (UNC3944) who was formerly a RansomHub affiliate, have been using DragonForce in attacks targeting multiple large retail chains in the UK and the US.

The incident
Sophos MDR was alerted to the incident by detection of a suspicious installation of a SimpleHelp installer file. The installer was pushed via a legitimate SimpleHelp RMM instance, hosted and operated by the MSP for their clients. The attacker also used their access through the MSP’s RMM instance to gather information on multiple customer estates managed by the MSP, including collecting device names and configuration, users, and network connections.

One client of the MSP was enrolled with Sophos MDR and had Sophos XDR endpoint protection deployed. Through a combination of behavioral and malware detection and blocking by Sophos endpoint protection and MDR actions to shut down attacker access to the network, thwarting the ransomware and double extortion attempt on that customer’s network. However, the MSP and clients that were not using Sophos MDR were impacted by both the ransomware and data exfiltration. The MSP engaged Sophos Rapid Response to provide digital forensics and incident response on their environment.

DragonForce ransomware abuses SimpleHelp in MSP supply chain attack https://www.bleepingcomputer.com/news/security/dragonforce-ransomware-abuses-simplehelp-in-msp-supply-chain-attack/

28/05/2025 10:14:51

The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.

Sophos was brought in to investigate the attack and believe the threat actors exploited a chain of older SimpleHelp vulnerabilities tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726 to breach the system.

SimpleHelp is a commercial remote support and access tool commonly used by MSPs to manage systems and deploy software across customer networks.

The report by Sophos says that the threat actors first used SimpleHelp to perform reconnaissance on customer systems, such as collecting information about the MSP's customers, including device names and configuration, users, and network connections.

The threat actors then attempted to steal data and deploy decryptors on customer networks, which were blocked on one of the networks using Sophos endpoint protection. However, the other customers were not so lucky, with devices encrypted and data stolen for double-extortion attacks.

Sophos has shared IOCs related to this attack to help organizations better defend their networks.

MSPs have long been a valuable target for ransomware gangs, as a single breach can lead to attacks on multiple companies. Some ransomware affiliates have specialized in tools commonly used by MSPs, such as SimpleHelp, ConnectWise ScreenConnect, and Kaseya.

This has led to devastating attacks, including REvil's massive ransomware attack on Kaseya, which impacted over 1,000 companies.

Liens par page

Filtres