Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer’s network
Sophos MDR recently responded to a targeted attack involving a Managed Service Provider (MSP). In this incident, a threat actor gained access to the MSP’s remote monitoring and management (RMM) tool, SimpleHelp, and then used it to deploy DragonForce ransomware across multiple endpoints. The attackers also exfiltrated sensitive data, leveraging a double extortion tactic to pressure victims into paying the ransom.
Sophos MDR has medium confidence the threat actor exploited a chain of vulnerabilities that were released in January 2025:
CVE-2024-57727: Multiple path traversal vulnerabilities
CVE-2024-57728: Arbitrary file upload vulnerability
CVE-2024-57726: Privilege escalation vulnerability
DragonForce
DragonForce ransomware is an advanced and competitive ransomware-as-a-service (RaaS) brand that first emerged in mid-2023. As discussed in recent research from Sophos Counter Threat Unit (CTU), DragonForce began efforts in March to rebrand itself as a “cartel” and shift to a distributed affiliate branding model.
Coinciding with this effort to appeal to a wider range of affiliates, DragonForce recently garnered attention in the threat landscape for claiming to “take over” the infrastructure of RansomHub. Reports also suggest that well-known ransomware affiliates, including Scattered Spider (UNC3944) who was formerly a RansomHub affiliate, have been using DragonForce in attacks targeting multiple large retail chains in the UK and the US.
The incident
Sophos MDR was alerted to the incident by detection of a suspicious installation of a SimpleHelp installer file. The installer was pushed via a legitimate SimpleHelp RMM instance, hosted and operated by the MSP for their clients. The attacker also used their access through the MSP’s RMM instance to gather information on multiple customer estates managed by the MSP, including collecting device names and configuration, users, and network connections.
One client of the MSP was enrolled with Sophos MDR and had Sophos XDR endpoint protection deployed. Through a combination of behavioral and malware detection and blocking by Sophos endpoint protection and MDR actions to shut down attacker access to the network, thwarting the ransomware and double extortion attempt on that customer’s network. However, the MSP and clients that were not using Sophos MDR were impacted by both the ransomware and data exfiltration. The MSP engaged Sophos Rapid Response to provide digital forensics and incident response on their environment.
The dawn of our fifth year deepens our understanding of the enemies at the gate, and some tensions inside it; plus, an anniversary gift from us to you
The Gootloader malware family uses a distinctive form of social engineering to infect computers: Its creators lure people to visit compromised, legitimate WordPress websites using hijacked Google search results, present the visitors to these sites with a simulated online message board, and link to the malware from a simulated “conversation” where a fake visitor asks a fake site admin the exact question that the victim was searching for an answer to.
Open-source intelligence reveals the server-side code of this pernicious SEO-driven malware – without needing a lawyer afterward
A sudden disruption of a major phishing-as-a-service provider leads to the rise of another…that looks very familiar
Last month, Sophos X-Ops reported several MDR cases where threat actors exploited a vulnerability in Veeam backup servers. We continue to track the activities of this threat cluster, which recently…
The Internet is full of cats—and in this case, malware-delivering fake cat websites used for very targeted search engine optimization.
Sophos X-Ops unveils five-year investigation tracking China-based groups targeting perimeter devices
Familiar ransomware develops an appetite for passwords to third-party sites
Sophos discovers the threat actors behind RansomHub ransomware using EDRKillShifter in attacks
The “Mad Liberator” ransomware group leverages social-engineering moves to watch out for
Sophos Managed Detection and Response initiated a threat hunt across all customers after the detection of abuse of a vulnerable legitimate VMware executable (vmnat.exe) to perform dynamic link library (DLL) side-loading on one customer’s network. In a search for similar incidents in telemetry, MDR ultimately uncovered a complex, persistent cyberespionage campaign targeting a high-profile government organization in Southeast Asia. As described in the first part of this report, we identified at least three distinct clusters of intrusion activity present in the organization’s network from at least March 2023 through December 2023.
The three security threat activity clusters—which we designated as Alpha (STAC1248), Bravo (STAC1870), and Charlie (STAC1305) – are assessed with high confidence to operate on behalf of Chinese state interests. In this continuation of our report, we will provide deeper technical analysis of the three activity clusters, including the tactics, techniques, and procedures (TTPs) used in the campaign, aligned to activity clusters where possible. We also provide additional technical details on prior compromises within the same organization that appear to be connected to the campaign.
Cheap ransomware is being sold for one-time use on dark web forums, allowing inexperienced freelancers to get into cybercrime without any interaction with affiliates.
Researchers at the intelligence unit at the cybersecurity firm Sophos found 19 ransomware varieties being offered for sale or advertised as under development on four forums from June 2023 to February 2024.
First released in May 2023, an EDR killer – and the vulnerable Zemana drivers it leverages – are still of interest to threat actors, along with variants and ported versions
UK-based cybersecurity firm Sophos this week announced patches for an exploited vulnerability in Firewall versions that have reached End-of-Life (EOL).
The critical-severity flaw, tracked as CVE-2022-3236, was found to impact versions 19.0 MR1 (19.0.1) and older of the product. It was originally patched in September 2022, but only in supported versions of Sophos Firewall.
Sophos describes the security defect as a code injection issue in the Firewall’s User Portal and Webadmin components, allowing attackers to achieve remote code execution (RCE).
Sophos was forced to backport a security update for CVE-2022-3236 for end-of-life (EOL) firewall firmware versions after discovering hackers actively exploiting the flaw in attacks.
A social engineering phone call lends authenticity to the attacker’s malicious email
Imagine if you clicked on a harmless-looking image, but an unknown application fired up instead…
The element originally known as “foul air” stinks up computers as a new initial-access campaign exhibiting some uncommon techniques
